What is the purpose of Flash's crossdomain.xml protection?

If you want to use content on another server, that server needs to host a crossdomain.xml file allowing access. If this file isn't there, flash won't let you access it. Given that it's easy enough to just write a proxy (say a php script that curls the external URLs) what is the purpose of this restriction? It seems that the content is still 100% 开发者_如何学运维available to external people, but there is just one extra hoop to jump through. What am i missing?

If Flash just did the request flat out without asking for permission first it would be possible to do what is called Cross site request forgery.

It basically means that since the request is coming from your computer, it will come with your cookies. So by accessing a known url, say gmail, I could pretend to be you. And since it's all well hidden within a .swf you'd never know what happened.

However, if the request goes through a proxy on another server (normally the same server that is hosting the swf) none of those cookies will be present and everything is nice and safe.

crossdomain.xml was introduced to prevent attacks such as Cross-site request forgery and also DNS rebinding attack.