flash - crossdomain.xml 中最严格的策略是否相当于根本没有？

Question

我可以在我的服务器日志中看到一些 http 404对于 [mydomain]/crossdomain.xml

我想知道是否添加此文件并将其配置为具有最严格的策略。即:(取自 html 5 样板文件)

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
-<cross-domain-policy> 
<!-- Read this: www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html -->

<!-- Most restrictive policy: -->
 <site-control permitted-cross-domain-policies="none"/> 
<!-- Least restrictive policy: -->

<!-- <site-control permitted-cross-domain-policies="all"/> <allow-access-from domain="*" to-ports="*" secure="false"/> <allow-http-request-headers-from domain="*" headers="*" secure="false"/> -->

<!-- If you host a crossdomain.xml file with allow-access-from domain="*" and don’t understand all of the points described here, you probably have a nasty security vulnerability. ~ simon willison -->
 </cross-domain-policy>

会不会等同于没有？

我发现与跨域相关的 http 404 错误具有误导性，因此我想摆脱它们，以便更有效地识别真正的错误。

Answer 1

不完全是。规范指出:

In other words, the root cross-domain policy does not contain allow-access-from directives or the HTTP headers. A meta-policy of “none” prevents the use of any other policies that may be present even if the developer included them. It is invalid to have allow-access-from or a header policy within a root cross-domain policy file with a meta-policy of “none”. In cases where an invalid policy has both a “none” setting and other directives, “none” takes precedence and no permissions are allowed on the site.

所以，我认为最具限制性的技术是使用“none”。