Manual:$wgMangleFlashPolicy
From mediawiki.org
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
This feature was removed completely in version 1.40.0.
| Output: $wgMangleFlashPolicy | |
|---|---|
Whether to mangle any <cross-domain-policy> (Adobe cross-domain policy) tags, to prevent XSS attacks. |
|
| Introduced in version: | 1.23.7 (Gerrit change 174289; git #92f22cd4) |
| Deprecated in version: | 1.39.0 (Gerrit change 815827; git #51ddd706) |
| Removed in version: | 1.40.0 (Gerrit change 838769; git #bb10b7d5) |
| Allowed values: | (boolean) |
| Default value: | true |
| Other settings: Alphabetical | By function | |
Details
When this is set to true, any occurrences of <cross-domain-policy> in sanitised output will be altered to <NOT-cross-domain-policy>. Without this, an attacker can potentially send their own Adobe cross-domain policy unless it is prevented by the crossdomain.xml file at the domain root.
You should only set this to false if you have a crossdomain.xml file in the root of your website (e.g. http://example.com/crossdomain.xml).