Download & Extend
Services » Issues

Make crossdomain.xml dynamic and only show entries for accessing domain

Posted by magico on September 26, 2008 at 12:01pm
Project:Services
Version:6.x-2.x-dev
Component:Code
Category:feature request
Priority:normal
Assigned:snelson
Status:closed (fixed)

Issue Summary

If we have several keys configured to several domains, they will all be listed in the crossdomain.xml

There must be a way to list in this file only the domains, for which the API key was given to a specific "user application".

Login or register to post comments

Comments

#1

Posted by snelson on February 15, 2009 at 6:38pm
Title:Too much information given about configured domains» Make crossdomain.xml dynamic and only show entries for accessing domain
Category:bug report» feature request
Assigned to:Anonymous» snelson

Since the page is completely dynamic anyways, we should be able to limit the allowed domains to only the domain currently accessing the file.

#2

Posted by snelson on February 15, 2009 at 7:13pm
Status:active» postponed

I spent some time on this ...

Unfortunately, the call to crossdomain.xml doesn't give us access to any referring domain information, so there doesn't seem to be a way to limit the entries by host. The API key is not sent on the crossdomain.xml request, so we can't look for that either.

Postponing this for now until someone comes up with a solution. I suppose we could just add a parameter to Services settings so that crossdomain could be opened up to all domains. Then you would rely on keys for security. Is this a suitable solution?

#3

Posted by marcingy on March 11, 2010 at 10:07pm
Version:6.x-1.x-dev» 6.x-2.x-dev

Bumping version

#4

Posted by marcingy on April 16, 2011 at 4:51am
Status:postponed» closed (fixed)

This is no longer part of core services

nobody click here