Death of open crossdomain.xml’s? (Flickr, Youtube,…)
Note: Just found about about the Flickr deal, it got moved to http://api.flickr.com/crossdomain.xml
I must have missed Flickr shutting down their crossdomain.xml, here is a post by Chris Shiflett. I found the issue when looking at some old Flex Flickr mashup I wrote a while back and realized it was coming back with a security error. Then I noticed the http://flickr.com/crossdomain.xml is gone.
Just recently youtube.com changed their crossdomain.xml also. What is happening???? How will true Flex mashups work? If all the sites restrict their crossdomain.xml then what are we left with. Note: It is still possible to use a proxy server (PHP, ASP etc…) to do the same thing, so why lock down the crossdomain.xml? The proxy server’s also cause you to transfer all that bandwidth through your server, basically a double take on the same data.
Another side I have seen is in big corporations like Salesforce. They have a whole platform for building applications that you can sell to people as add ons to the base Salesforce offering. You can find them at http://www.salesforce.com/developer/. But since their crossdomain.xml was locked down you can’t build SWF type apps (unless they residue on their servers), this is where Flex could be used to create a lot of special add on widgets (charting, etc…) on top of one of the largest CRM online services in the world. They have not opened up the their crossdomain.xml to the world yet. There is a little something going with *.breezecentral.com though, just check out http://salesforce.com/crossdomain.xml. This is because Adobe or some consultant with Adobe wrote some Adobe Connect (formerly Breeze) Saleforce integration applications I guess. Nice to see Adobe has a relationship Salesforce to get them to change the crossdomain.xml.
Where does this bring us to. Well I think there is a fine line that companies don’t understand about the power of the crossdomain.xml. If they have open API, but then restrict access, its a slap in the face for the Flash/Flex of developers. With the rise of RIA’s and Flex pushing many cool and complex multi-service mashups it will be a shame if we are all locked out because of mis-information or lack of proper education about the crossdomain.xml and security issues.
Another Note: So can somebody explain the difference of security and using the API to login to Flickr or using the main page? Here is the context:
Chris found that flickr had a crossdomain.xml file setup to allow flash applications to be built using the Flickr API. The problem is that you can write a flash application that would allow almost any action a logged in flickr user could perform.
Flickr has fixed the problem by moving the API endpoint, and crossdomain.xml to api.flickr.com, instead of running under something like flickr.com/api. Now a flash application can’t make calls to flickr.com from another domain.
Is this a issue of the Flickr open API nothing allowing all the functionality that could be spoofed on the website? Ok fine and dandy makes sense, but that doesn’t stop some malicious Flash (or PHP/ASP) Flickr mashup from taking your username and password and using it on the main website wrongly, correct?