Flash Player enforces security rules for what and how applications can access data, and you’ll notice this especially when embedding a Flex application in an HTML page. Flex applications can typically access all data resources in the same domain as the .swf. For example, if the .swf is deployed to www.example.com, it can access a web service that is also deployed at www.example.com. However, access to data resources at different domains is disallowed by Flash Player unless that domain explicitly gives permission. The Flash Player security rules disallow access to data resources unless the domains match exactly, including subdomains, even if the domain names resolve to the same physical address. That means an .swf deployed at www.example.com cannot access data from test.example.com or even example.com unless the server explicitly allows access. The domain can give permission by way of a cross-domain policy file.
When working with the socket class and loading data through sockets rather than through request/response mechanisms, Flash Player 9,0,115,0 and later introduce an additional socket policy file requirement. Since Flash Player security is continually evolving, we recommend that you review the latest articles at http://www.adobe.com/devnet/flashplayer/ for any changes that may impact your application.
A cross-domain policy file is an XML file that resides on the server that hosts the data resources. The format for a cross-domain policy file is as follows:
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <allow-access-from domain="www.example.com" /> </cross-domain-policy>
The root <cross-domain-policy>
node can contain one
or more <allow-access-from>
elements. The <allow-access-from>
elements specify the domains that can access the resources on the server.
You can use an *
wildcard in place of
the subdomain, which means that any subdomain can access the data
resources. For example, the following policy allows access from www.example.com, beta.example.com, test.example.com, etc.:
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <allow-access-from domain="*.example.com" /> </cross-domain-policy>
You can also use the *
wildcard
in place of the entire domain to allow access from all domains:
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <allow-access-from domain="*" /> </cross-domain-policy>
If the server uses HTTPS and wants to allow access to .swf files deployed on nonsecure domains, it must specify a value for the secure attribute. The following allows access to .swf files deployed at www.example.com:
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <allow-access-from domain="www.example.com" secure="false" /> </cross-domain-policy>
By default, Flash Player looks for a policy file named crossdomain.xml at the root of the web server
from which it is requesting the data resources. If Flash Player attempts
to load an XML document from http://www.example.com/data/xml/data.xml, it will look for
http://www.example.com/crossdomain.xml. If you want
to set different permissions for different resources on a server, you can
optionally deploy different policy files in different locations on the
server. For example, a policy file located at http://www.example.com/data/xml would apply only to the
resources in that directory. However, when you place policy files in
nondefault locations, you must use ActionScript to load the policy file in
your Flex application. The ActionScript code uses the static loadPolicyFile()
method of the flash.system.Security
class. The following loads a policy file:
Security.loadPolicyFile("http://www.example.com/data/xml/policy.xml");
Deploying a cross-domain policy file presupposes that you have access to the server with the data resources—or that you can persuade those with the server to deploy the policy file. In the few cases where you cannot deploy a policy file on a server whose data resources you need to utilize, you have the option of deploying a proxy file on your server. A proxy file is a file that exists on your server (a .jsp, an ASP.NET page, a ColdFusion page, a PHP page, etc.) to which your Flex application can make requests. The proxy file then makes the requests to the remote resource and relays the data back to Flash Player.