[WEB SECURITY] CSRF: Flash + 307 redirect = Game Over

robert at webappsec.org robert at webappsec.org
Thu Feb 10 17:47:43 EST 2011

> > Out of curiosity (and willing to confess my ignorance) is there a spec
> > somewhere that explains the "proper" behavior, is Adobe not following
> > that spec, and if not specified somewhere, where should this be?
> As with much of the web, there isn't one (and if there was, it would
> probably have nothing to do with reality).

Technically the HTTP RFC specifies the behavior for the 307 code and this is following
that specification. The issue is flash's model requires crossdomain.xml approval
prior to issuing requests, and in this case is tricked by the 307, and doesn't fetch
a crossdomain.xml on the new domain.

There are two fixes, one for Flash, and one for Ror (which they've implemented).

The correct flash fix would be to fetch the crossdomain.xml file on the 307'd domain 
(or any 3xx code) and seek approval prior to making a request. 

- Robert Auger

More information about the websecurity mailing list