Why are you looking for my crossdomain.xml?

If you are developing commerce sites and review your logs regularly, chances are you will come across 404 errors looking for crossdomain.xml. We get a lot from the plugins that looks for coupons on e-commerce sites (e.g. Drop Down Deals). In fact you are likely to get them on any sites you develop - but we have seen them more frequently on ecommerce sites.

What is Crossdomain.xml

In short it is a file that declares policies for accessing resources on your domain from other domains (Cross Site Request Forgery - csrf alert!). It is used by Flash (Flash Alert!) to enable Flash to access resources across domains.

I Don't use Flash! Why do I need a Crossdomain.xml

Well you don't - but some Flash and Silverlight applications will look for one (and clientaccesspolicy.xml for silverlight) and if you don't have one, you will waste time and effort serving 404 errors.

Who asks for these files?

One common 'culprit' is the coupon finding plugin Drop Down Deals and you will see a lot of the crossdomain.xml 404 requests come from s.nsdsvc.com/App/DddWrapper.swf.

So what do I do?

One simple thing to do is to put up a basic restrictive policy file (as used by HTML5 Boilerplate) and an empty clientaccesspolicy.xml. This will stop the 404 errors and won't have any adverse impact on your security.

Basic empty Crossdomain.xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
    <site-control permitted-cross-domain-policies="none"/>
</cross-domain-policy>

Be aware though that a lot of sites discussing crossdomain.xml give examples of default crossdomain.xml content that contains the line:

<allow-access-from domain="*" /> - Don't do that!!

That opens you up to a whole world of CSRF pain! If in any doubt, don't put a crossdomain.xml file in the root of your site. If you want to avoid 404 errors use the basic empty one listed above.

*** Update ***

In the case of Silverlight looking for the clientaccesspolicy.xml if one is not found on getting a 404 it will look for the crossdomain.xml.

This will of course issue an initial 404 (.. which is what we are trying to stop) so you could either place a minimal clientaccesspolicy.xml with just the following line:

<!-- No access -->

You could usea well formed XML file and just leave the allow from element empty (I haven't tried that - but according to the specification (see http://msdn.microsoft.com/en-us/library/cc645032%28v=vs.95%29.aspx) that would be the valid method. Of course if you use Silverlight then you would need to add you own domains and tailor one for you needs - here's a good guide: http://www.silverlighthack.com/post/2008/11/08/Silverlight-clientaccessp...

Is there more I can do?

If you find you get a lot of requests for missing 'pages' it might be evidence of a security issues where someone is testing your site for exploits. In that case it is best to cut them off at source and not bother your web application (such as Drupal) with them at all

A good technique is to use a rewrite rules in your server configuration fies (e.g. .htaccess in Apache - or better your VHosts configuration) - or in webconfig if on IIS

RewriteCond %{HTTP_REFERER} www\.dodgyrequester\.com [NC]
RewriteRule .* - [F]

This will 'drop' all requests from www.dodgyrequester.com. Analyse your log files (using Log Parser) to study the exploit and work out what they are trying to do.

If you isolated a particular source that was malicious you would do better to drop it further upstream using IPTABLES, DenyHosts or other Firewall configurations - but that is a whole different subject!