To give us more options for mitigating issues like T73478, we really should have a master cross-domain policy file for all WMF domains that restricts any cross-domain policies served on the domain.
Either:
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <site-control permitted-cross-domain-policies="none"/> </cross-domain-policy>
or if we really need any cross-domain flash access, specify them by domain:
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <site-control permitted-cross-domain-policies="master-only"/> <allow-access-from domain="*.example.com"/> </cross-domain-policy>
Version: unspecified
Severity: normal