Table of Contents
Advertisement
When a SWF file attempts to access data from another domain, Flash Player automatically
attempts to load a policy file from that domain. If the domain of the SWF file that is
attempting to access the data is included in the policy file, the data is automatically accessible.
By default, policy files must be named
and must reside in the root
crossdomain.xml
directory of the server. However, a SWF file can check for a different name or in a different
directory location by calling the
method. A cross-domain
Security.loadPolicyFile()
policy file applies only to the directory from which it is loaded and to its child directories. So
a policy file in the root directory applies to the whole server, but a policy file loaded from an
arbitrary subdirectory applies only to that directory and its subdirectories.
A policy file affects access only to the particular server on which it resides. For example, a
policy file located at https://www.adobe.com:8080/crossdomain.xml will apply only to data-
loading calls made to www.adobe.com over HTTPS at port 8080.
A cross-domain policy file contains a single
tag, which in turn
<cross-domain-policy>
contains zero or more
tags. Each
tag contains
<allow-access-from>
<allow-access-from>
an attribute,
, which specifies either an exact IP address, an exact domain, or a
domain
wildcard domain (any domain). Wildcard domains are indicated by either a single asterisk (*),
which matches all domains and all IP addresses, or an asterisk followed by a suffix, which
matches only those domains that end with the specified suffix. Suffixes must begin with a dot.
However, wildcard domains with suffixes can match domains that consist of only the suffix
without the leading dot. For example, foo.com is considered to be part of *.foo.com.
Wildcards are not allowed in IP domain specifications.
If you specify an IP address, access is granted only to SWF files loaded from that IP address
using IP syntax (for example, http://65.57.83.12/flashmovie.swf ), not those loaded using
domain-name syntax. Flash Player does not perform DNS resolution.
You can permit access to documents originating from any domain, as shown in the following
example:
<?xml version="1.0"?>
<!-- http://www.foo.com/crossdomain.xml -->
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
Each
tag also has the optional
attribute, which defaults to
<allow-access-from>
secure
. You can set the attribute to
if your policy file is on an HTTPS server, and you
true
false
want to allow SWF files on a non-HTTPS server to load data from the HTTPS server.
Setting the
attribute to
could compromise the security offered by HTTPS. In
secure
false
particular, setting this attribute to
opens secure content to snooping and spoofing
false
attacks. Adobe strongly recommends that you not set the
attribute to
.
secure
false
Overview of permission controls
457
Advertisement
Chapters
Table of Contents
