The crossdomain middleware is disabled by default. Operators need to explicitly configure it, or all requests to the /crossdomain.xml path will receive a client error.
If enabled, the crossdomain middleware is very permissive by default. This stems from it origin and continued use as a public cloud platform, where a permissive policy is appropriate. We may want to highlight the permissiveness of the default in docs.
As to the specific concern reported, this seems like something to take to Oracle -- though I would expect that, as a public cloud provider, they may well *want* a permissive policy.
Thank you for your report!
Swift provides operators with the ability to configure the policy they like, including returning a client error (effectively disabling cross-domain access). For more information, see https:/ /docs.openstack .org/swift/ latest/ middleware. html#module- swift.common. middleware. crossdomain
Thinking of Swift generally:
The crossdomain middleware is disabled by default. Operators need to explicitly configure it, or all requests to the /crossdomain.xml path will receive a client error.
If enabled, the crossdomain middleware is very permissive by default. This stems from it origin and continued use as a public cloud platform, where a permissive policy is appropriate. We may want to highlight the permissiveness of the default in docs.
As to the specific concern reported, this seems like something to take to Oracle -- though I would expect that, as a public cloud provider, they may well *want* a permissive policy.