I read a lot about cross-site scripting with Flash, Javascript etc. and also found several lists with websites that have a crossdomain.xml that allows access from any server. For example flickr.com trusts all domains.
Can somebody explain me why this seems to be secure and doesn't lead to attacks like session-hijacking? Is it because those crossdomain.xml is only valid on subdomains, that don't make it possible for an attacker to get the session key?
Using crossdomain.xml files can be very dangerous and can open websites up to serious attacks. There are two rules of thumb to prevent crossdomain policies from opening up security holes:
A valid use of a crossdomain policy file is on a site like api.flickr.com where there are only services which do not use cookies.