Say I have a website (example.com) with the typical "very permissive" policy:
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
</cross-domain-policy>
This used to be fine since the site contained only public data. But now, I'm adding the path "http://example.com/sensitive" which may contain some slightly sensitive information about the user browsing my site. I'd like to set up a stricter policy for it, something like:
<cross-domain-policy>
<allow-access-from domain="*.example.com"/>
</cross-domain-policy>
Say I put this "crossdomain.xml" in "http://example.com/sensitive", and I also modify the root policy like this:
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
<site-control permitted-cross-domain-policies="by-content-type"/>
</cross-domain-policy>
Is that enough? I don't understand if the "child policy" can actually be more strict than the root policy - i.e. is it at the latitude of the flash client to load the child policy, or is it always loaded & enforced?
Found the answer, recording it here in case anybody needs it.
You can't make the a sub-path policy more strict than the master policy (well, technically speaking you can, but the .swf application needs to load the child policy explicitly from code, so if the child policy is more strict, it's not really enforceable).
What you CAN do is move your "http://example.com/sensitive" path to something like "http://sensitive.example.com/"; in this case, you can have a more strict
crossdomain.xmlpolicy onsensitive.example.com, and it will be enforced by Flash Player.