Help Center > Object Storage Service > API Reference > Access Control > Flash Configuration for Cross-Domain Access

Flash Configuration for Cross-Domain Access

By default, the OBS system is configured to support cross-domain access using the root domain name. This allows access from all domains, exposing clients to attacks.

To address this issue, you can create a crossdomain.xml file with specific rules in the buckets of each client, and add Security.loadPolicyFile("http://bucket.obs.cn-north-1.myhwclouds.com/crossdomain.xml") in the file's flash code to prevent attacks.

crossdomain.xml needs to comply with the XML syntax rules, and there is only one root node cross-domain-policy without any property. The root node can contain only the following sub-nodes: site-controlallow-access-fromallow-access-from-identity, and allow-http-request-headers-from. The following table lists descriptions of sub-nodes.

Table 1

Name

Description

site-control

Checks the property value and determines whether other policy files can be loaded.

The property value can be:

noneloadPolicyFile cannot be used to load any policy file.

master-only: Only the master policy file [default] can be used.

by-content-type: Only loadPolicyFile can be used to load the file whose Content-Type is text/x-cross-domain-policy over HTTP/HTTPS as the cross-domain policy file.

by-ftp-filename: Only loadPolicyFile can be used to load file crossdomain.xml over FTP as the cross-domain policy file.

allloadPolicyFile can be used to load any file of the target domain as the cross-domain policy file.

allow-access-from

Checks the property value and determines the source domain of the flash file that can access content of the domain.

The property value can be:

domain: This property specifies an IP address, a domain, or a wildcard domain (any domain). Only the IP addresses specified in a domain have the permission to access content of the domain using the flash file.

to-ports: Socket connection ports that can access content of the domain.

secure: Indicates whether information is transmitted through encryption.

allow-access-from-identity

Allows a source domain that has a specific certificate to access resources in this domain.

allow-http-request-headers-from

Grants permission to a third-party domain to sent data to the domain in HTTP header format.

The property value can be:

domain: This property specifies an IP address, a domain, or a wildcard domain (any domain). Only domains specified in domain have the permission to access the content of the domain using the flash file.

headers: A list separated by commas (,), indicating HTTP headers to be sent. Wildcard (*) can be used to indicate the HTTP header.

secure: Indicates whether information is transmitted through encryption.

Registration