[WEB SECURITY] CSRF: Flash + 307 redirect = Game Over

Michal Zalewski lcamtuf at coredump.cx
Thu Feb 10 16:38:15 EST 2011

> Out of curiosity (and willing to confess my ignorance) is there a spec
> somewhere that explains the "proper" behavior, is Adobe not following
> that spec, and if not specified somewhere, where should this be?

As with much of the web, there isn't one (and if there was, it would
probably have nothing to do with reality).

That said, it is commonly understood, and enforced by most places
(e.g., XMLHttpRequest), that websites should not be able to make
cross-domain requests with arbitrary HTTP headers without some sort of
a mutual consent (e.g., CORS). There is every indication to suggest
that Flash tried to enforce it, too (you need a crossdomain.xml rule);
but is duped by a 307 redirect.

To put this in perspective, there is also no top-level spec explicitly
saying that a.com should not be able to read the contents of b.com.


More information about the websecurity mailing list