Manualshelf

User Guide

ManualsBrandsMacromedia ManualsOtherFLASH MX 2004-USING ACTIONSCRIPT IN FLASH
291292293294295296297298299300
Flash Player security features 291
For example, a policy file located at https://www.macromedia.com:8080/crossdomain.xml will
apply only to data loading calls made to www.macromedia.com over HTTPS at port 8080.
An exception to this rule is the use of an XMLSocket object to connect to a socket server in
another domain. In that case, an HTTP server running on port 80 in the same domain as the
socket server must provide the policy file for the method call.
An XML policy file contains a single
<cross-domain-policy> tag, which, in turn, contains zero
or more
<allow-access-from> tags. Each <allow-access-from> tag contains an attribute,
domain, which specifies either an exact IP address, an exact domain, or a wildcard domain (any
domain). Wildcard domains are indicated by either a single asterisk (
*), which matches all
domains and all IP addresses, or an asterisk followed by a suffix, which matches only those
domains that end with the specified suffix. Suffixes must begin with a dot. However, wildcard
domains with suffixes can match domains that consist of only the suffix without the leading dot.
For example, foo.com is considered to be part of *.foo.com. Wildcards are not allowed in IP
domain specifications.
If you specify an IP address, access is granted only to SWF files loaded from that IP address using
IP syntax (for example, http://65.57.83.12/flashmovie.swf), not those loaded using domain-
name syntax. Flash Player does not perform DNS resolution.
The following example shows a policy file that permits access to Flash documents that originate
from foo.com, www.friendOfFoo.com, *.foo.com, and 105.216.0.40, from a Flash document on
foo.com:
<?xml version="1.0"?>
<!-- http://www.foo.com/crossdomain.xml -->
<cross-domain-policy>
<allow-access-from domain="www.friendOfFoo.com" />
<allow-access-from domain="*.foo.com" />
<allow-access-from domain="105.216.0.40" />
</cross-domain-policy>
You can also permit access to documents originating from any domain, as shown in the following
example:
<?xml version="1.0"?>
<!-- http://www.foo.com/crossdomain.xml -->
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
Each <allow-access-from> tag also has the optional secure attribute. The secure attribute
defaults to
true. You can set the attribute to false if your policy file is on an HTTPS server, and
you want to allow SWF files on an HTTP server to load data from the HTTPS server.
Setting the
secure attribute to false could compromise the security offered by HTTPS.
If the SWF file you are downloading comes from a HTTPS server, but the SWF file loading it is
on an HTTP server, you need to add the
secure="false" attribute to the <allow-access-
from>
tag, as shown in the following code:
<allow-access-from domain="www.foo.com" secure="false" />