Skip to main content

Cross-domain policy

Related error

"This server is vulnerable to a cross-domain attack. Ensure only trusted domains are added to the cross-domain policy file."

Problem

A cross-domain attack occurs when untrusted domains are configured in policy files giving access to the source domain content.

This allows attackers unrestricted access to sensitive information and services to which the authenticated user has access.

A cross-domain policy file (crossdomain.xml) defines a list of domains that specifies permissions for the application to communicate with servers other than the one on which it is hosted.

When making a cross-domain request, the application will first look for a policy file in the target domain to determine whether the cross-domain requests, including headers, and socket-based connections are allowed.

If a cross-domain policy file includes untrusted domains, then the application might be attacked by these untrusted domains.

Solution

Specify only trusted domains in the cross-domain policy file.