7
votes

So let's say I have a site and I do not have a crossdomain.xml or clientaccesspolicy.xml on it.

This means that people cannot access my site via Silverlight or Flash applications.

But they can use, say cURL in PHP (or the equivalent in other languages) to get the information from my site and provide it to their Silverlight and Flash applications via REST or WebService, etc.

  • Can someone explain exactly how these restrictions protect my site, e.g. from cross domain scripting?

  • What are they protecting against that couldn't be done with PHP/cURL and equivalents which do have access to my site via script?

1

1 Answers

12
votes

PHP is a server side technology and code executes on the server, not on the user's machine. Silverlight is a client side technology that runs on the user's machine.

If Silverlight code could make arbitrary web requests to any domain, it would open the door to a whole host of cross-site scripting attacks.

Image this scenario:
Bob goes to www.OnlineBanking.com and logs in to check his account balance. He leaves this site by navigating to a different address. He does not click "Log Out", so he is still logged in (alternatively, he opens a new browser window/tab, leaving the banking site still open).
Bob browses to evil.com, which contains a Silverlight application.
The Silverlight application is downloaded and runs on Bob's machine.
This application makes a web request to www.OnlineBanking.com/secretaccountdetails.html. This file requires authentication to read (evil.com is not authenticated so cannot access it).
Bob however IS authenticated, and the request succeeds. The silverlight application can read the contents of this file and do whatever it likes with it (including sending it to evil.com).

The cross-domain request restrictions in Silverlight prevent the above scenario from happening. When the request is made by the silverlight app to OnlineBanking.com, it will check for a cross domain policy file since the app was served from a different domain. Since OnlineBanking.com does not have a policy file allowing cross domain requests, the request fails and the Silverlight application cannot download secretaccountdetails.html.