vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/obs/s3api/en-us_topic_0125560477.html
Jawei, Li 1a4c1a720a OBS s3api 2.0.38.SP5 
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com>
Co-authored-by: Jawei, Li <lijiawei5@huawei.com>
Co-committed-by: Jawei, Li <lijiawei5@huawei.com>
2022-11-16 14:51:13 +00:00

64 lines
8.1 KiB
HTML
Raw Blame History

<a name="EN-US_TOPIC_0125560477"></a><a name="EN-US_TOPIC_0125560477"></a>
<h1 class="topictitle1">Flash Configuration for Cross-Domain Access</h1>
<div id="body1468499666024"><p id="EN-US_TOPIC_0125560477__p43852263203526">By default, OBS system is configured to support cross-domain access using the root domain name. This allows access from all domains, so clients are likely to be attacked.</p>
<p id="EN-US_TOPIC_0125560477__p59126050203526">To address this issue, you can create a <strong id="EN-US_TOPIC_0125560477__b151583319466">crossdomain.xml</strong> file with specific rules in the bucket for each client, and add <strong id="EN-US_TOPIC_0125560477__b1262464811466">Security.loadPolicyFile(http://obs.example.com/bucket/crossdomain.xml)</strong> in the file's flash code to prevent attacks.</p>
<p id="EN-US_TOPIC_0125560477__p552913818457">The following is an example of the <strong id="EN-US_TOPIC_0125560477__b712172211453">crossdomain.xml</strong> file:</p>
<pre class="screen" id="EN-US_TOPIC_0125560477__screen63241979385">&lt;?xml version="1.0"?&gt;
&lt;cross-domain-policy&gt;
&lt;allow-access-from domain="*" to-ports="80,443" secure="false"/&gt;
&lt;site-control permitted-cross-domain-policies="master-only" /&gt;
&lt;/cross-domain-policy&gt;</pre>
<p id="EN-US_TOPIC_0125560477__p125358283454"><strong id="EN-US_TOPIC_0125560477__b0301125434616">crossdomain</strong><strong id="EN-US_TOPIC_0125560477__b730111542465">.xml</strong> needs to comply with the XML syntax rules, and there is only one root node <strong id="EN-US_TOPIC_0125560477__b976834704618">cross</strong><strong id="EN-US_TOPIC_0125560477__b3768124744614">-domain-</strong><strong id="EN-US_TOPIC_0125560477__b1676954712467">policy</strong> without any attribute. The root node can contain only the following sub-nodes: site-control, allow-access-from, allow-access-from-identity, and allow-http-request-headers-from. The following table lists description about sub-nodes.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0125560477__table127711534194913" frame="border" border="1" rules="all"><caption><b>Table 1 </b></caption><thead align="left"><tr id="EN-US_TOPIC_0125560477__row1577243484911"><th align="left" class="cellrowborder" valign="top" width="34%" id="mcps1.3.6.2.3.1.1"><p id="EN-US_TOPIC_0125560477__p97722341492"><strong id="EN-US_TOPIC_0125560477__b1334055017505">Sub-node</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="66%" id="mcps1.3.6.2.3.1.2"><p id="EN-US_TOPIC_0125560477__p11772634124917"><strong id="EN-US_TOPIC_0125560477__b8344205014508">Description</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="EN-US_TOPIC_0125560477__row27728341498"><td class="cellrowborder" valign="top" width="34%" headers="mcps1.3.6.2.3.1.1 "><p id="EN-US_TOPIC_0125560477__p1277243444913"><strong id="EN-US_TOPIC_0125560477__b4969559506">site-control</strong></p>
</td>
<td class="cellrowborder" valign="top" width="66%" headers="mcps1.3.6.2.3.1.2 "><p id="EN-US_TOPIC_0125560477__p15772133414917">Checks the attribute value and determines whether other policy files can be loaded.</p>
<p id="EN-US_TOPIC_0125560477__p1590723195114">The attribute value can be:</p>
<p id="EN-US_TOPIC_0125560477__p228417523515"><strong id="EN-US_TOPIC_0125560477__b1436115123528">none</strong>: <strong id="EN-US_TOPIC_0125560477__b61800216576">loadPolicyFile</strong> cannot be used to load any policy file.</p>
<p id="EN-US_TOPIC_0125560477__p3559191718520"><strong id="EN-US_TOPIC_0125560477__b37377048161524">master-only</strong>: Only the master policy file [default] can be used.</p>
<p id="EN-US_TOPIC_0125560477__p7130141215215"><strong id="EN-US_TOPIC_0125560477__b1313015121124">by-content-type</strong>: Only <strong id="EN-US_TOPIC_0125560477__b73646391122">loadPolicyFile</strong> can be used to load the file whose <strong id="EN-US_TOPIC_0125560477__b1102133912818">Content-Type</strong> is <strong id="EN-US_TOPIC_0125560477__b1493914534810">text/x-cross-domain-policy</strong> over HTTP/HTTPS as the cross-domainpolicy file.</p>
<p id="EN-US_TOPIC_0125560477__p129071016185519"><strong id="EN-US_TOPIC_0125560477__b1587731216912">by-ftp-filename</strong>: Only <strong id="EN-US_TOPIC_0125560477__b16665123615111">loadPolicyFile</strong> can be used to load file <strong id="EN-US_TOPIC_0125560477__b5866144515115">crossdomain.xml</strong> over FTP as the cross-domain policy file.</p>
<p id="EN-US_TOPIC_0125560477__p58274322566"><strong id="EN-US_TOPIC_0125560477__b783410501392">all</strong>: <strong id="EN-US_TOPIC_0125560477__b148722045131211">loadPolicyFile</strong> can be used to load any file of the target domain as the cross-domain policy file.</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560477__row1777273416493"><td class="cellrowborder" valign="top" width="34%" headers="mcps1.3.6.2.3.1.1 "><p id="EN-US_TOPIC_0125560477__p1677263404913"><strong id="EN-US_TOPIC_0125560477__b119755515506">allow-access-from</strong></p>
</td>
<td class="cellrowborder" valign="top" width="66%" headers="mcps1.3.6.2.3.1.2 "><p id="EN-US_TOPIC_0125560477__p31020503161450">Checks the attribute value and determines the source domain of the flash file that can access content of the domain.</p>
<p id="EN-US_TOPIC_0125560477__p10749076161450">The attribute value can be:</p>
<p id="EN-US_TOPIC_0125560477__p29632828161450"><strong id="EN-US_TOPIC_0125560477__b17372877161625">domain</strong>: This attribute specifies an IP address, a domain, and a wildcard domain (any domain). Only domains specified in <strong id="EN-US_TOPIC_0125560477__b7115914135719">domain</strong> have the permission to access content of the domain using the flash file.</p>
<p id="EN-US_TOPIC_0125560477__p65368862161450"><strong id="EN-US_TOPIC_0125560477__b27480397161628">to-ports</strong>: Socket connection ports that can access content of the domain.</p>
<p id="EN-US_TOPIC_0125560477__p51448853161450"><strong id="EN-US_TOPIC_0125560477__b36865975161631">secure</strong>: Specifies whether information is transmitted through encryption.</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560477__row14772434204918"><td class="cellrowborder" valign="top" width="34%" headers="mcps1.3.6.2.3.1.1 "><p id="EN-US_TOPIC_0125560477__p3772193412499"><strong id="EN-US_TOPIC_0125560477__b9991455195010">allow-access-from-identity</strong></p>
</td>
<td class="cellrowborder" valign="top" width="66%" headers="mcps1.3.6.2.3.1.2 "><p id="EN-US_TOPIC_0125560477__p66168651161450">Allows cross-domain sources with certain certificates to access resources in this domain.</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560477__row9772133416497"><td class="cellrowborder" valign="top" width="34%" headers="mcps1.3.6.2.3.1.1 "><p id="EN-US_TOPIC_0125560477__p1772734204920"><strong id="EN-US_TOPIC_0125560477__b12100165517506">allow-http-request-headers-from</strong></p>
</td>
<td class="cellrowborder" valign="top" width="66%" headers="mcps1.3.6.2.3.1.2 "><p id="EN-US_TOPIC_0125560477__p25106258161450">Grants permission to a third-party domain to sent data to the domain in <strong id="EN-US_TOPIC_0125560477__b18527132614248">http</strong> header format.</p>
<p id="EN-US_TOPIC_0125560477__p24629731161450">The attribute value can be:</p>
<p id="EN-US_TOPIC_0125560477__p20340992161450"><strong id="EN-US_TOPIC_0125560477__b12927463161636">domain</strong>: This attribute specifies an IP address, a domain, and a wildcard domain (any domain). Only domains specified in <strong id="EN-US_TOPIC_0125560477__b12243122011575">domain</strong> have the permission to access content of the domain using the flash file.</p>
<p id="EN-US_TOPIC_0125560477__p14678175610277"><strong id="EN-US_TOPIC_0125560477__b106787563271">headers</strong>: Specifies a list of http headers separated by commas. Wildcard (*) can be used to indicate the http header.</p>
<p id="EN-US_TOPIC_0125560477__p48851200161450"><strong id="EN-US_TOPIC_0125560477__b721211317288">secure</strong>: Specifies whether information is transmitted through encryption.</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="en-us_topic_0125560354.html">Access Control</a></div>
</div>
</div>
View Git Blame Copy Permalink