Manual:$wgMangleFlashPolicy
Output: $wgMangleFlashPolicy | |
---|---|
Whether to mangle any <cross-domain-policy> (Adobe cross-domain policy) tags, to prevent XSS attacks. |
|
Introduced in version: | 1.23.7 (Gerrit change 174289; git #92f22cd4) |
Removed in version: | still in use |
Allowed values: | (boolean) |
Default value: | true |
Other settings: Alphabetical | By function |
DetailsEdit
When this is set to true, any occurrences of <cross-domain-policy>
in sanitised output will be altered to <NOT-cross-domain-policy>
. Without this, an attacker can potentially send their own Adobe cross-domain policy unless it is prevented by the crossdomain.xml file at the domain root.
You should only set this to false if you have a crossdomain.xml file in the root of your website (e.g. http://example.com/crossdomain.xml).