The vulnerability
OutputHandler::mangleFlashPolicy() was introduced in 2007 in response to a reported security issue. I can't find the report right now, but it went something like this:
- The Flash client may specify any URL on a host to act as a cross-domain policy file. For example, an action=raw view may be used as a cross-domain policy.
- Despite being specified as an XML file, Flash does not actually use an XML parser, but rather runs some regexes over the response, looking for relevant XML-like tags. So XML inside JSON, HTML, CSS, etc. can potentially be interpreted as a valid policy.
- If the response thus contains permission for Flash to execute a cross-domain request, the Flash client may read CSRF tokens and thus execute a CSRF attack against any page on the domain.
- The Flash browser extension does all these requests by calling back into the browser, thus they are sent with the cookies of the currently logged-in user, and a generic browser User-Agent header.
So the result is that if the application sends anything vaguely looking like a cross-domain policy file from any URL, the result is a CSRF vulnerability against anything on the domain that uses cookie authentication.
The problem
mangleFlashPolicy() is intrusive, complex, and it's unclear if it's necessary. If it's necessary, it's unclear if it's a complete fix.
Prospects
The first question is whether we still need to worry about this, given the demise of Flash. The current documentation notes that cross-domain policy files are also respected by Adobe Acrobat and potentially other products. So, maybe. And I assume people are still using Flash one way or another.
The current specification, published in 2009, states that a response may send the header X-Permitted-Cross-Domain-Policies: none-this-response in order to prevent the response from being interpreted as cross-domain policy. We could send that on every request, or only on requests where the response matches a regex.
Unless we simply drop security support for browsers with flash installed, any change will need to be tested. I'm not sure how to do that.