Flash MX 2004 -- About allowing cross-domain ...

About allowing cross-domain data loading
A Flash document can load data from an external source by using one of the following data loading calls: XML.load(), XML.sendAndLoad(), LoadVars.load(), LoadVars.sendAndLoad(), loadVariables(), loadVariablesNum(). Also, a SWF file can import runtime shared libraries, or assets defined in another SWF file, at runtime. By default, the data or SWF media, in the case of runtime shared libraries, must reside in the same domain as the SWF file that is loading that external data or media.
To make data and assets in runtime shared libraries available to SWF files in different domains, use a cross-domain policy file. A cross-domain policy file is an XML file that provides a way for the server to indicate that its data and documents are available to SWF files served from certain domains or from all domains. Any SWF file that is served from a domain specified by the server's policy file will be permitted to access data or assets from that server.
When a Flash document attempts to access data from another domain, Flash Player automatically attempts to load a policy file from that domain. If the domain of the Flash document that is attempting to access the data is included in the policy file, the data is automatically accessible.
Policy files must be named crossdomain.xml, and can reside either at the root directory or in another directory on the server that is serving the data with some additional ActionScript (seeAbout custom policy file locations). Policy files function only on servers that communicate over HTTP, HTTPS, or FTP. The policy file is specific to the port and protocol of the server where it resides.
For example, a policy file located at https://www.macromedia.com:8080/crossdomain.xml will apply only to data loading calls made to www.macromedia.com over HTTPS at port 8080.
An exception to this rule is the use of an XMLSocket object to connect to a socket server in another domain. In that case, an HTTP server running on port 80 in the same domain as the socket server must provide the policy file for the method call.
An XML policy file contains a single tag, which, in turn, contains zero or more tags. Each tag contains an attribute, domain, which specifies either an exact IP address, an exact domain, or a wildcard domain (any domain). Wildcard domains are indicated by either a single asterisk (*), which matches all domains and all IP addresses, or an asterisk followed by a suffix, which matches only those domains that end with the specified suffix. Suffixes must begin with a dot. However, wildcard domains with suffixes can match domains that consist of only the suffix without the leading dot. For example, foo.com is considered to be part of *.foo.com. Wildcards are not allowed in IP domain specifications.
If you specify an IP address, access is granted only to SWF files loaded from that IP address using IP syntax (for example, http://65.57.83.12/flashmovie.swf), not those loaded using domain-name syntax. Flash Player does not perform DNS resolution.
The following example shows a policy file that permits access to Flash documents that originate from foo.com, www.friendOfFoo.com, *.foo.com, and 105.216.0.40, from a Flash document on foo.com:

You can also permit access to documents originating from any domain, as shown in the following example:

Each tag also has the optional secure attribute. The secure attribute defaults to true. You can set the attribute to false if your policy file is on an HTTPS server, and you want to allow SWF files on an HTTP server to load data from the HTTPS server.
Setting the secure attribute to false could compromise the security offered by HTTPS.
If the SWF file you are downloading comes from a HTTPS server, but the SWF file loading it is on an HTTP server, you need to add the secure="false" attribute to the tag, as shown in the following code:

A policy file that contains no tags has the same effect as not having a policy on a server.



Related Topics


Popup




Popup


Comments
Add Comment
recoveredfromflashMX2004 said on Jul 27, 2004 at 11:34 AM : No screen name said on Mar 28, 2004 at 11:54 AM :
Why so the web service work corrctly on a local machine even by simple calling "Test Movie"?
Malartre2 said on Mar 30, 2004 at 12:59 PM :
It work in the Flash IDE because that's a debugging version of flash.
No screen name said on May 12, 2004 at 10:23 AM :
I have a SWF in one domain that needs to access data from an XML file stored on an FTP site in another domain. Assuming an application server is not available, are my options:
- use a "shim" SWF located on the same FTP site (or domain) as the XML file
- have a cross-domain policy file hosted on the FTP site with the XML file
- (others?)
Is one preferable to another? The XML file will be updated every 30 mins; I'll be calling it from the SWF in the other domain tens of thousands of times per day.
nickg420 said on Jun 15, 2004 at 2:56 PM :
My SWF is using flash remoting, and In flash player 7, im not getting the security dialog box, and I haven't asked for it to 'always' say no or whatever. It justs sits there, laughing at me.Sivakanesh said on Feb 8, 2005 at 1:46 AM : If I wanted to get an XML news feed from a site using flash, the source domains admins are not always aware of this issue and unwilling to help. So basically if I have a flash app and upgrade it I'll need to abandon it as I won't work again?No screen name said on Apr 7, 2005 at 5:16 AM : > No screen name said on Mar 8, 2004 at 12:49 PM :
> There seems to be no solution to this problem: I load a .swf file from a
> remote domain (not the one where I downloaded the page) and I want to
> send a variable from a js (in the same domain that the .swf) to the flash
> through document[flashobject].SetVariable method. I doesn't work at all. > Is there any solution?
You must add:
System.security.allowDomain(YourHTMLDomain);
in SWF, YourHTMLDomain parameter must be declared in FlashVars for egzample in OBJECT/EMBED tag. (100% Works for SWF6)No screen name said on Aug 2, 2005 at 5:03 AM : I have SWF wich is on my local server https://baddy/flash/main.html and loads XML from https//another_server:4443/sqlxml/some.xml. Where I should reside crossdomain.xml and what I should write in crossdomain.xml?No screen name said on Aug 26, 2005 at 2:05 AM : Your crossdomain file must be in: https//another_server:4443/crossdomain.xml
and must have:



No screen name said on Aug 26, 2005 at 2:15 AM : I have a flash swf in one http server : http://server1/......
And I want to use LoadVars.sendAndLoad to one script in one https server: https://server2/script.php
I have created a cross domain file accesible in:
https://server2/crossdomain.xml
with the following:




but it doesnt work in IE. It seems like a bug. Because when I put the swf in the https sever (Server2) It doesn't work neither. but I have tested in FireFox and it works. It is very extrange I dont know what to do. I cant Use XML method because the script wich I call have certains call and return standarts that are not XML. (its interface doesnt deppend of me so It have a established way of calling (POST variables))
Do you have any idea???Andy Saman said on Oct 27, 2005 at 1:08 PM : > have created a cross domain file accesible in:
> https://server2/crossdomain.xml
Make sure that you can access the crossdomain.xml using HTTP protocol as well as HTTPS. If the webserver has HTTP access turned off, internet explorer's flash plugin will not be able to get the cross-domain policy file. It seems to only try the HTTP protocol and NOT the HTTPS protocol to collect the policy file.
RSS feed |Send me an e-mail when comments are added to this page |Comment Report
Current page: http://livedocs.adobe.com/flash/mx2004/main_7_2/00001097.html