Comment Re:NEWS FLASH: Web sites need to screen uploads (Score 1) 355
The point wasn't that the seemingly innocuous domain could be attacked with this method. What I was trying to point out is that the seemingly innocuous web site could be used as a vector for an attack on the victim site.
As I explained, the difference between JavaScript and Flash is what they consider to be "its own domain". JavaScript considers its own domain to be the domain of the page it's running in. Flash considers its own domain to be the domain the flash object is served from. It doesn't seem like it should be a big difference, but it is. Let me flesh out my example a bit more.
Suppose you have an account on the victim site. Suppose you are also a semi frequent visitor of the seemingly innocuous site that I host. If I want to steal your account on the victim site, and the victim site allows arbitrary file uploads, I can upload a flash movie to the victim site. The next time you visit my site, I embed the movie, hosted on the victim site, somewhere in my site that you can't see it. Because Flash considers the victim site to be in its own domain, it is free to contact the victim site however it wants without checking the contents of the crossdomain.xml file. I have just been able to compromise your account without you noticing, and without convincing you to do anything you wouldn't normally do. Performing the same attack with JavaScript, without having to engineer you into visiting a page you don't normally visit on the victim site, would be a much more difficult proposition.