Page MenuHomePhabricator
Create Task
Maniphest T75574

Host crossdomain.xml master policy file
Closed, DeclinedPublic
Actions

Description

To give us more options for mitigating issues like T73478, we really should have a master cross-domain policy file for all WMF domains that restricts any cross-domain policies served on the domain.

Either:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
 <site-control permitted-cross-domain-policies="none"/>
</cross-domain-policy>

or if we really need any cross-domain flash access, specify them by domain:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
 <site-control permitted-cross-domain-policies="master-only"/>
 <allow-access-from domain="*.example.com"/>
</cross-domain-policy>

Version: unspecified
Severity: normal

Details

Reference
bz73574

Related Objects

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 3:52 AM
bzimport added a project: Security-Other.
bzimport set Reference to bz73574.
bzimport changed Security from none to Software security bug.
Restricted Application changed the visibility from "Public (No Login Required)" to "acl*security (Project)". · View Herald TranscriptNov 22 2014, 3:52 AM
Restricted Application changed the edit policy from "All Users" to "acl*security (Project)". · View Herald Transcript
csteipp created this task.Nov 18 2014, 8:06 PM
faidon subscribed.Nov 24 2014, 12:09 PM

Since you mention "all WMF domains": upload.wikimedia.org has a very open crossdomain.xml:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
  <allow-access-from domain="*" />
</cross-domain-policy>

This was the request of both internal applications that needed to do cross-domain requests from our own projects (e.g. ogv.js), as well as third-party users of upload.wikimedia.org.

JFYI, in case that results in a security issue I could not think of.

Restricted Application changed the visibility from "acl*security (Project)" to "Custom Policy". · View Herald TranscriptNov 24 2014, 12:09 PM
Restricted Application changed the edit policy from "acl*security (Project)" to "Custom Policy". · View Herald Transcript
Restricted Application added a project: acl*security. · View Herald Transcript
csteipp added a comment.Nov 24 2014, 11:05 PM

Thank faidon, I forgot about upload. That one can be open because we're not supposed to put anything sensitive there. I'll try to get this setup for all the rest of our domains.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptNov 24 2014, 11:05 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
csteipp triaged this task as Medium priority.Jul 14 2015, 8:48 PM
csteipp added a project: Security-Team.
csteipp mentioned this in T123653: Cross-domain policy regexp is too narrow.Jan 15 2016, 11:18 PM
Reedy updated the task description. (Show Details)Oct 31 2016, 3:53 PM
Aklapper updated the task description. (Show Details)Jun 29 2018, 2:45 PM
JBennett edited projects, added Security-team-backlog; removed Security-Team, Security-Other.Sep 4 2018, 2:23 PM
chasemp edited projects, added Security-Team; removed Security-team-backlog.Dec 23 2019, 5:12 PM
chasemp moved this task from Incoming to Back Orders on the Security-Team board.
chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:08 PM
Reedy added a project: SRE.Sep 2 2021, 4:42 PM
Legoktm added subscribers: tstarling, Legoktm.Jul 25 2022, 9:06 PM

@tstarling based on T279496: Revisit mangleFlashPolicy() I assume we can decline this and make it public?

tstarling closed this task as Declined.Jul 26 2022, 12:35 AM
tstarling changed the visibility from "Custom Policy" to "Public (No Login Required)".
tstarling changed the edit policy from "Custom Policy" to "All Users".
sbassett added a project: SecTeam-Processed.Jul 26 2022, 2:54 PM
sbassett moved this task from Back Orders to Our Part Is Done on the Security-Team board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL