Pretty awesome paper with an idea on how to prevent future cross-domain policy vulnerabilities: http://research.microsoft.com/~shuochen/papers/ScriptAccenting.pdf.
Basically what they propose is to symmetrically “encrypt” (XOR) the javascript from each domain with a key that is unique to each domain. They modify the JS engine to decrypt the javascript before running it with the appropriate key from the domain it’s attempting to be executed on. So this way even if an attacker finds a vuln to execute script in another domain the JS engine won’t be able to execute it since it won’t be decrypted with the correct key and would give an error.
Cool idea.
