User Guide

ManualsBrandsMacromedia ManualsOtherFLEX 2-PROGRAMMING ACTIONSCRIPT 3.0

451

452

453

454

455

456

457

458

459

460

Overview of permission controls 457

When a SWF file attempts to access data from another domain, Flash Player automatically

attempts to load a policy file from that domain. If the domain of the SWF file that is

attempting to access the data is included in the policy file, the data is automatically accessible.

By default, policy files must be named

crossdomain.xml and must reside in the root

directory of the server. However, a SWF file can check for a different name or in a different

directory location by calling the

Security.loadPolicyFile() method. A cross-domain

policy file applies only to the directory from which it is loaded and to its child directories. So

a policy file in the root directory applies to the whole server, but a policy file loaded from an

arbitrary subdirectory applies only to that directory and its subdirectories.

A policy file affects access only to the particular server on which it resides. For example, a

policy file located at https://www.adobe.com:8080/crossdomain.xml will apply only to data-

loading calls made to www.adobe.com over HTTPS at port 8080.

A cross-domain policy file contains a single

<cross-domain-policy> tag, which in turn

contains zero or more

<allow-access-from> tags. Each <allow-access-from> tag contains

an attribute,

domain, which specifies either an exact IP address, an exact domain, or a

wildcard domain (any domain). Wildcard domains are indicated by either a single asterisk (*),

which matches all domains and all IP addresses, or an asterisk followed by a suffix, which

matches only those domains that end with the specified suffix. Suffixes must begin with a dot.

However, wildcard domains with suffixes can match domains that consist of only the suffix

without the leading dot. For example, foo.com is considered to be part of *.foo.com.

Wildcards are not allowed in IP domain specifications.

If you specify an IP address, access is granted only to SWF files loaded from that IP address

using IP syntax (for example, http://65.57.83.12/flashmovie.swf), not those loaded using

domain-name syntax. Flash Player does not perform DNS resolution.

You can permit access to documents originating from any domain, as shown in the following

example:

<?xml version="1.0"?>

<cross-domain-policy>

<allow-access-from domain="*" />

</cross-domain-policy>

Each <allow-access-from> tag also has the optional secure attribute, which defaults to

true. You can set the attribute to false if your policy file is on an HTTPS server, and you

want to allow SWF files on a non-HTTPS server to load data from the HTTPS server.

Setting the

secure attribute to false could compromise the security offered by HTTPS. In

particular, setting this attribute to

false opens secure content to snooping and spoofing

attacks. Adobe strongly recommends that you not set the

secure attribute to false.