Until recently, YouTube has been vulnerable to cross-domain Ajax attacks due to their open crossdomain.xml policy. I notified them as soon as I discovered the vulnerability, and although I have yet to receive a reply, it appears they have fixed the problem:

1. <cross-domain-policy>
2.     <allow-access-from domain="*.youtube.com" />
3. </cross-domain-policy>

Unfortunately, this is causing problems for some Flash / Flex developers who use YouTube's API, and no information has been published to provide a reason for the change or advice on how to work within the new constraints. In fact, I'm not positive that my report prompted the change. It could be a coincidence.

Renaun Erickson writes:

Seems like we need some Adobe dev center write ups in this area, touching on Mashups, Open APIs, and proper usage of crossdomain.xml when used with other systems in place.

I agree, but at the moment, Adobe is setting a bad example:

1. <cross-domain-policy>
2.     <allow-access-from domain="*" />
3.     <allow-access-from domain="*.macromedia.com" secure="false" />
4.     <allow-access-from domain="*.adobe.com" secure="false" />
5. </cross-domain-policy>

Unlike Flickr, YouTube didn't just move their API to a separate domain. Instead, they closed it to *.youtube.com. Joe Berkovitz, a Flash / Flex developer and author of ReviewTube, would rather see them take Flickr's approach:

YouTube, if you want to be safe and not screw up Flash / Flex developers, please move your API to a different domain and put a liberal crossdomain.xml on that host. Thanks.

John Dowdell, who works for Adobe, also wrote about this issue. Hopefully Adobe will begin to educate developers about the security risks.

Chris Shiflett Boulder-based founder, designer, and developer. Co-founder of Studioworks and Schoolcase, and founder of Faculty, a product studio. Writing about building things on the web since 2000. More about Chris →