Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

JW Player ignore crossdomain.xml

Hi,
I'm trying to use crossdomain.xml in order to restrict using any content from another domains.

crossdomain.xml from root of my domain:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.mydomain.xy" secure="true"/>
</cross-domain-policy>

But if I call

http://www.mydomain.xy/player.swf?file=http://www.anotherdomain.com/samplevideo.swf&autostart=true

it's works without something to say.

What do I wrong? Have somebody any idea?


Thanks.

12 Community Answers

Up Down

Ethan Feldman

JW Player Support Agent  
1 rated :

Link?

Up Down

JW Player

User  
0 rated :

for example
http://wvps178-77-68-141.dedicated.hosteurope.de/crossdomain.xml
and
http://wvps178-77-68-141.dedicated.hosteurope.de/player.swf?file=http://ts.mc0.de/xss.flv&autostart=true

Up Down

JW Player

User  
0 rated :

Firebug displays that it's looking for http://ts.mc0.de/crossdomain.xml and get "404 Not Found" error. But why under http://ts.mc0.de and not under native domain?

Thanks.

Up Down

Ethan Feldman

JW Player Support Agent  
0 rated :

The player works fine here.

It is looking for the crossdomain.xml file there because your file = http://ts.mc0.de/xss.flv

Up Down

JW Player

User  
0 rated :

I would like to restrict calling with player.swf any flv or swf from another domains. How can I do it?

Thanks.

Up Down

Ethan Feldman

JW Player Support Agent  
0 rated :

I believe you need to make sure that the flv files are restricted as well, so you would need a restrictive crossdomain here as well, for example – http://ts.mc0.de/crossdomain.xml

More information – http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html

Up Down

JW Player

User  
0 rated :

Many thanks for your fast answers. May be you can explane me following. If I read ...
"A cross-domain policy file is an XML document that grants a web clientsuch as Adobe Flash Player, Adobe Reader, etc.permission to handle data across multiple domains. When a client hosts content from a particular source domain and that content makes requests directed towards a domain other than its own, the remote domain would need to host a cross-domain policy file that grants access to the source domain, allowing the client to continue with the transaction."

I understand that in my case a client host is *http://wvps178-77-68-141.dedicated.hosteurope.de* and player.swf should read *http://wvps178-77-68-141.dedicated.hosteurope.de/crossdomain.xml* from own host but not from remote http://ts.mc0.de/crossdomain.xml.

The reason for my questions is that I believe it can be used as possible xss valnuability. That's why I want to restrict playing any flv or swf from another hosts as my player.swf host (http://wvps178-77-68-141.dedicated.hosteurope.de).

I will really appreciate your help.

Many thanks.

Up Down

Ethan Feldman

JW Player Support Agent  
0 rated :

But you are liking to a file on that server, a different domain, which is why it is requesting it…

Up Down

JW Player

User  
0 rated :

I want to prohibit linking like this. It is only an example in order to show that is possible.

Up Down

Ethan Feldman

JW Player Support Agent  
0 rated :

We don’t have any examples of how to do this, sorry.

Up Down

JW Player

User  
0 rated :

Ethan LongTail, I have the same issue here. The player can be used to play "foreign" video files in my domain.

Ast gave an example of such a scenario
http://wvps178-77-68-141.dedicated.hosteurope.de/player.swf?file=http://ts.mc0.de/xss.flv&autostart=...

You could give this link away, people trust this domain and the flv file is porn. This is a kind of XSS vulnerability.

How to prevent player.swf to play flv and any other files not located at the same domain as player.swf?

Thank you.

Up Down

Ethan Feldman

JW Player Support Agent  
0 rated :

You would need to configure your server to block traffic from outside domains I would think. We don’t have any tutorials for this though.

This question has received the maximum number of answers.