Confirmed users
717
edits
WebAppSec/Secure Coding Guidelines: Difference between revisions
WebAppSec/Secure Coding Guidelines (view source)
Revision as of 01:57, 28 January 2011
, 28 January 2011→General Uploads
(→Image Upload: Asked why.) |
|||
| Line 321: | Line 321: | ||
*Ensure the image is served with the correct content-type (e.g. image/jpeg, application/x-xpinstall) | *Ensure the image is served with the correct content-type (e.g. image/jpeg, application/x-xpinstall) | ||
'''Beware of "special" files''' | |||
*crossdomain.xml allows cross-domain data loading in Flash, Java and Silverlight. If permitted on sites with authentication this can permit cross-domain data theft and CSRF attacks. Note this can get pretty complicated depending on the specific plugin version in question, so its best to just prohibit files named "crossdomain.xml" or "clientaccesspolicy.xml". | |||
=== Image Upload === | === Image Upload === | ||