Until recently, YouTube has been vulnerable to cross-domain Ajax attacks due to their open
crossdomain.xml policy. I notified them as soon as I discovered the vulnerability, and although I have yet to receive a reply, it appears they have fixed the problem:
<allow-access-from domain="*.youtube.com" />
Unfortunately, this is causing problems for some Flash / Flex developers who use YouTube's API, and no information has been published to provide a reason for the change or advice on how to work within the new constraints. In fact, I'm not positive that my report prompted the change. It could be a coincidence.
Renaun Erickson writes:
Seems like we need some Adobe dev center write ups in this area, touching on Mashups, Open APIs, and proper usage of
crossdomain.xmlwhen used with other systems in place.
I agree, but at the moment, Adobe is setting a bad example:
<allow-access-from domain="*" />
<allow-access-from domain="*.macromedia.com" secure="false" />
<allow-access-from domain="*.adobe.com" secure="false" />
Unlike Flickr, YouTube didn't just move their API to a separate domain. Instead, they closed it to
*.youtube.com. Joe Berkovitz, a Flash / Flex developer and author of ReviewTube, would rather see them take Flickr's approach:
YouTube, if you want to be safe and not screw up Flash / Flex developers, please move your API to a different domain and put a liberal
crossdomain.xmlon that host. Thanks.
John Dowdell, who works for Adobe, also wrote about this issue. Hopefully Adobe will begin to educate developers about the security risks.