User Guide

ManualsBrandsMacromedia ManualsOtherFLASH MX 2004-USING ACTIONSCRIPT IN FLASH

291

292

293

294

295

296

297

298

299

300

Flash Player security features 293

About XMLSocket policy files

For an XMLSocket connection attempt, Flash Player 7 (7.0.14.0) looked for crossdomain.xml on

an HTTP server on port 80 in the subdomain to which the connection attempt was being made.

Flash Player 7 (7.0.14.0) and all earlier versions restricted XMLSocket connections to ports 1024

and above. However, in Flash Player 7 (7.0.19.0) and later, ActionScript can inform Flash Player

of a non-default location for a policy file using

System.security.loadPolicyFile. Any custom

locations for XMLSocket policy files must still be on an XML socket server.

In the following example, Flash Player retrieves a policy file from a specified URL:

System.security.loadPolicyFile("http://www.foo.com/folder/policy.xml");

Any permissions granted by the policy file at that location apply to all content at the same level or

below in the server’s hierarchy. Therefore, if you try to load the following data, you discover you

can only load data from certain locations:

myLoadVars.load("http://foo.com/sub/dir/vars.txt"); // allowed

myLoadVars.load("http://foo.com/sub/dir/deep/vars2.txt"); // allowed

myLoadVars.load("http://foo.com/elsewhere/vars3.txt"); // not allowed

To work around this, you can load more than one policy file into a single SWF file using

loadPolicyFile. Flash Player always waits for the completion of any policy file downloads

before denying a request that requires a policy file. Flash Player consults the default location of

crossdomain.xml if no other policies were authorized in the SWF file.

New syntax allows policy files to be retrieved directly from an XMLSocket server:

System.security.loadPolicyFile("xmlsocket://foo.com:414");

In this example, Flash Player tries to retrieve a policy file from the specified host and a port. Any

port can be used if the policy file is not in the default (root) directory; otherwise the port is

limited to 1024 and higher (as with earlier players). When a connection is established to the

specified port, Flash Player sends

<cross-domain-request/>, terminated by a null byte.

The XML socket server might be configured to serve policy files in the following ways:

• To serve policy files and normal socket connections over the same port. The server should wait

for

<cross-domain-request /> before transmitting a policy file.

• To serve policy files over a separate port from normal connections, in which case it might send

a policy file as soon as a connection is established on the dedicated policy file port.

The server must send a null byte to terminate a policy file before it closes the connection. If the

server does not close the connection, Flash Player will do so upon receiving the terminating null

byte.

A policy file served by an XML socket server has the same syntax as any other policy file, except

that it must also specify the ports to which access is granted. The allowed ports are specified in a

to-ports attribute in the <allow-access-from> tag. If a policy file is less than port 1024, it can

grant access to any port; when a policy file comes from port 1024 or higher, it can grant access

only to other ports above 1024. Single port numbers, port ranges and wildcards are allowed. The

following code is an example of a XMLSocket policy file:

<cross-domain-policy>

<allow-access-from domain="*" to-ports="507" />