Update cross domain policy to only allow API access.
authorTom Hughes <tom@compton.nu>
Mon, 6 Oct 2008 23:21:57 +0000 (23:21 +0000)
committerTom Hughes <tom@compton.nu>
Mon, 6 Oct 2008 23:21:57 +0000 (23:21 +0000)
config/lighttpd.conf
public/api/crossdomain.xml [new file with mode: 0644]
public/crossdomain.xml

index 74aa6f3..7a9e241 100644 (file)
@@ -65,9 +65,17 @@ mimetype.assign = (
   ".js" => "application/x-javascript",
   ".png" => "image/png",
   ".swf" => "application/x-shockwave-flash",
-  ".txt" => "text/plain"
+  ".txt" => "text/plain",
+  ".xml" => "text/xml"
 )
 
+#
+# Force special MIME type for crossdomain.xml files
+#
+$HTTP["url"] =~ "/crossdomain\.xml$" {
+  mimetype.assign = ( ".xml" => "text/x-cross-domain-policy" )
+}
+
 #
 # Enable compression of appropriate static content
 #
diff --git a/public/api/crossdomain.xml b/public/api/crossdomain.xml
new file mode 100644 (file)
index 0000000..cbc8e25
--- /dev/null
@@ -0,0 +1,10 @@
+<?xml version="1.0"?>
+<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
+
+<cross-domain-policy>
+       <allow-access-from domain="*"/>
+       <allow-http-request-headers-from domain="*" headers="Authorization"/>
+       <allow-http-request-headers-from domain="*.openstreetmap.org" headers="*"/>
+       <allow-http-request-headers-from domain="*.openstreetmap.net" headers="*"/>
+       <allow-http-request-headers-from domain="*.openstreetmap.com" headers="*"/>
+</cross-domain-policy>
index 22ff5a4..0a2ff6c 100644 (file)
@@ -2,9 +2,5 @@
 <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
 
 <cross-domain-policy>
-       <site-control permitted-cross-domain-policies="master-only"/>
-       <allow-access-from domain="*"/>
-       <allow-http-request-headers-from domain="*.openstreetmap.org" headers="*"/>
-       <allow-http-request-headers-from domain="*.openstreetmap.net" headers="*"/>
-       <allow-http-request-headers-from domain="*.openstreetmap.com" headers="*"/>
-</cross-domain-policy>
\ No newline at end of file
+       <site-control permitted-cross-domain-policies="by-content-type"/>
+</cross-domain-policy>