James Ward just posted a very delicious bit on How Bad Crossdomain Policies Expose Protected Data to Malicious Applications. After fully digesting the post, I think that something more needs to be said about why we need a crossdomain in the first place.

"A cross-domain policy file is an XML document that grants a web client—such as Adobe Flash Player (though not necessarily limited to it)—permission to handle data across multiple domains. When a client hosts content from a particular source domain and that content makes requests directed towards a domain other than its own, the remote domain would need to host a cross-domain policy file that grants access to the source domain, allowing the client to continue with the transaction. Policy files grant read access to data as well as permit a client to include custom headers in cross-domain requests."

Read the full spec if you like...
http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html

We need to add at this point... that the 'security' that is loosely referred to here is only good with clients that adhere to the implementation. Would a Perl, Python, .NET, Java, or Scala method look for a crossdomain.xml file before making a Web Service or HTTP request? Nope. How is any kind of security then you ask?

There is a Japanese saying that sums it up best...

"The nail that sticks out gets hit on the head."

To translate: Flash is a very visible technology (the nail that sticks out) and if it doesn't sit comfortably above reproach (below other nails)... it's going to become a favored tool of malicious individuals (ka-blaaaam). It's a serious thing and there is a lot at risk here - because of it's position Flash could be the hammer and the nail with a great many unsuspecting individuals caught in-between.

My commentary here isn't meant to be a flame or criticism of Adobe - quite the opposite... I would hope that everyone would see it as a praise for their desire to make sure that Flash-based products are 'trustworthy' and 'secure' - and that reasonable efforts are being made to ensure that Flash apps won't run amuck when deployed to the interwebs.

Really quickly - I would like to add that if security is a hot-topic for you and your applications. Whatever policy is in place in your crossdomain.xml file should also be enforced on any router, gateway, proxy, firewall, or appliance in front of or mixed-in with your application. Remember that I qualified this kind of security to "clients that adhere to the implementation." So, the mere existence of a carefully crafted crossdomain doesn't make things all nicey-nice. In this case - it just means that Flash is going to behave when talking to your stuffs. If you don't have the cash for a fancy-dancy hardware setup... SSL is always a good start.

For anyone that might be grumbling about this... if you want to play in the Flash sandbox - you're going to have to play by the rules that it enforces; crossdomain is a big one. If you do, you and your applications stand to inherit a considerable amount of trust and security that should safely place them above reproach. Keep in mind that security is a two way deal - for those who write applications and for those who consume them. Hopefully, all the pains we endure (as developers) will translate into a better and safer user experience.

Many thanks to James for his insight and desire to keep us all rolling down the right path!