Make crossdomain.xml dynamic and only show entries for accessing domain
magico - September 26, 2008 - 12:01
| Project: | Services |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | snelson |
| Status: | postponed |
Jump to:
Description
If we have several keys configured to several domains, they will all be listed in the crossdomain.xml
There must be a way to list in this file only the domains, for which the API key was given to a specific "user application".
#1
Since the page is completely dynamic anyways, we should be able to limit the allowed domains to only the domain currently accessing the file.
#2
I spent some time on this ...
Unfortunately, the call to crossdomain.xml doesn't give us access to any referring domain information, so there doesn't seem to be a way to limit the entries by host. The API key is not sent on the crossdomain.xml request, so we can't look for that either.
Postponing this for now until someone comes up with a solution. I suppose we could just add a parameter to Services settings so that crossdomain could be opened up to all domains. Then you would rely on keys for security. Is this a suitable solution?