I had an interesting chat with Cyril Hanquez today: he contacted me with a problem he experienced with Flash Player when he tried to load data from domain B with an SWF that lives in domain A. This is by default not allowed by the Flash Player and this has been so for many years now. It's a simple security mechanism that just says: if you want your SWF to load data from a "foreign" domain then the foreign domain has to allow this explicitly. To allow others to load data, someone at domain B has to upload a so called crossdomain policy file to the webroot of domain B and all is fine (that's the short explanation, for a lenghty discussion see here or here)
There are plenty of special cases around this and one special case is this scenario: say you have a subfolder /data on domain B and you want a SWF file from domain A access this URL. Usually, you'd have to put the crossdomain.xml file into B's webroot. Now, when you don't have write access to the webroot (e.g. because your admins don't allow you to put things there) but only to the subfolder /data then you may put the crossdomain.xml file there. You'd then only have to tell the SWF on domain A to grab the policy file from that location. This is done by calling Security.loadPolicy("http://www.domainB.com/data/crossdomain.xml") - easy as this.
I told Cyril this and to our surprise this did not work and we still got security errors from the Flash Player. Debugging the network traffic he noticed, that the Flash Player was correctly pulling the crossdomain.xml file from the subfolder in domain B (so that was ok) but in addition, the Flash Player still tried to load the crossdomain.xml file from the webroot of domain B - that was new (I remembered it worked this way without problems... so maybe it had to do with the Flash Player versions again...)
After reading the documentation again (and again) it became obvious that since Flash Player 10, crossdomain.xml files in subfolders always require an additional master policy which tells Flash Player if additional sub-policies are allowedd or not (this is critical for hosted environments for example). As Cyril cannot but anything into the webroot this seemed like a dead end road, but again - the documentation to the rescue: it's also possible to send additional, custom HTTP headers to tell Flash Player which policies are valid. This is done by setting the X-Permitted-Cross-Domain-Policies HTTP header and setting a value (e.g. "all" to allow all crossdomain.xml files in this domain and in subfolders) - Well, that finally did the trick (turned out that this behaviour has been there since Flash Player 10 btw)
There are no comments for this entry.