We have some Wowza 4.2.0 servers. Basically, they are used for streaming publicly available medias. We don’t use SSL.
Recently some vulnerability scanning were done. One of the suggestion is
“Edit the crossdomain.xml file to be less permissive”
Just wonder if this need to be done and if conf/crossdomain.xml is really needed.
My understanding is that it is honored by Flash Client, other streaming methods such as Apple HLS, RTSP or MS Smooth are not affected. Is this correct?
===== Existing default crossdomain.xml
<?xml version="1.0" encoding="UTF-8" ?>=====
The Wowza server itself does not host any SWF file and will not use SSL. So the Flash Player is hosted on our web server. For example, vod1.example.com is one of the Wowza server and web.example.com is the web server hosting the web page and the SWF files to play the media.
We don’t mind other domain such as web.nosuchdomain.com to host web page and SWF files to play our medias on vod1.example.com.
So this crossdomain.xml is good enough? Or we can delete secure=“false”?
In order to meet the vulnerability scanning recommendation, should we change it to?
===== suggested crossdomain.xml
<?xml version="1.0" encoding="UTF-8" ?>=====
And will it be only web server under *.example.com can host SWF to play our medias? Other domain such as web.nosuchdomain.com will no longer to do so?
Any comments?
Thanks a lot.