Cross-Domain Policy for API Access
Article ID: KB0074698
Updated On:
| Products | Versions |
|---|---|
| TIBCO Cloud API Management | - |
Description
The Cross-domain policy can be limited / restricted else accessibility becomes wide open across any domain . Allowing access from all domains means that any domain can perform two-way interaction with the application which can be a security concern.
Resolution
CrossDomain is defaulted to being very permissive if not found in the configuration. Below settings make them least permissive:
#Current Value:
[1] default_value = "<?xml version=\"1.0\"?>\n<!DOCTYPE cross-domain-policy SYSTEM \"http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd\">\n<cross-domain-policy>\n <allow-access-from domain=\"*\"/>\n</cross-domain-policy>";
[2] Robots.txt is defaulted to the following if not found in the configuration:
default_value = "User-agent: *\nDisallow: \n\n";
default_value = "User-agent: *\nDisallow: \n\n";
#Proposed value (TBD):
[1] default_value = "<?xml version=\"1.0\"?>\n<!DOCTYPE cross-domain-policy SYSTEM \"http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd\">\n<cross-domain-policy>\n <allow-access-from domain=\"\"/>\n</cross-domain-policy>";
[1] default_value = "<?xml version=\"1.0\"?>\n<!DOCTYPE cross-domain-policy SYSTEM \"http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd\">\n<cross-domain-policy>\n <allow-access-from domain=\"\"/>\n</cross-domain-policy>";
[2] Robots.txt is defaulted to the following if not found in the configuration:
default_value = "User-agent: *\nDisallow: / \n\n";
default_value = "User-agent: *\nDisallow: / \n\n";
Issue/Introduction
Cross-Domain Policy for API Access
Feedback
Yes
No
Powered by
