//richinternet.blog

Viewing By Entry / Main
Thursday, March 10, 2011
How to deal with crossdomain policies and subfolders

I had an interesting chat with Cyril Hanquez today: he contacted me with a problem he experienced with Flash Player when he tried to load data from domain B with an SWF that lives in domain A. This is by default not allowed by the Flash Player and this has been so for many years now. It's a simple security mechanism that just says: if you want your SWF to load data from a "foreign" domain then the foreign domain has to allow this explicitly. To allow others to load data, someone at domain B has to upload a so called crossdomain policy file to the webroot of domain B and all is fine (that's the short explanation, for a lenghty discussion see here or here)

There are plenty of special cases around this and one special case is this scenario: say you have a subfolder /data on domain B and you want a SWF file from domain A access this URL. Usually, you'd have to put the crossdomain.xml file into B's webroot. Now, when you don't have write access to the webroot (e.g. because your admins don't allow you to put things there) but only to the subfolder /data then you may put the crossdomain.xml file there. You'd then only have to tell the SWF on domain A to grab the policy file from that location. This is done by calling Security.loadPolicy("http://www.domainB.com/data/crossdomain.xml") - easy as this.

I told Cyril this and to our surprise this did not work and we still got security errors from the Flash Player. Debugging the network traffic he noticed, that the Flash Player was correctly pulling the crossdomain.xml file from the subfolder in domain B (so that was ok) but in addition, the Flash Player still tried to load the crossdomain.xml file from the webroot of domain B - that was new (I remembered it worked this way without problems... so maybe it had to do with the Flash Player versions again...)

After reading the documentation again (and again) it became obvious that since Flash Player 10, crossdomain.xml files in subfolders always require an additional master policy which tells Flash Player if additional sub-policies are allowedd or not (this is critical for hosted environments for example). As Cyril cannot but anything into the webroot this seemed like a dead end road, but again - the documentation to the rescue: it's also possible to send additional, custom HTTP headers to tell Flash Player which policies are valid. This is done by setting the X-Permitted-Cross-Domain-Policies HTTP header and setting a value (e.g. "all" to allow all crossdomain.xml files in this domain and in subfolders) - Well, that finally did the trick (turned out that this behaviour has been there since Flash Player 10 btw)

Dirk.

Posted At: 17:23 | Link | Flex, Flash | Comments (0)

Comments

There are no comments for this entry.

Calendar
Sun Mon Tue Wed Thu Fri Sat
   1234
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  

About
About this blog
www.aws-blog.de
www.richinternet.de
www.flexforum.de
www.die-flexperten.de

Archives By Subject
AIR (10)
Apollo (3)
BlazeDS (8)
Breeze (1)
Central (5)
Cocoon P2P (1)
ColdFusion (55)
Flash (61)
Flash Media Server (8)
Flex (170)
Flex Trace Panel (6)
FXUG (3)
J2Flex (4)
MAX (31)
Mobile (1)
mxmlc (1)
Other topics (47)
Plugins (9)
Video (7)

Recent Entries

Recent Technotes
Recent Flex Technotes
Recent ColdFusion Technotes
Recent Flash Technotes

Links
http://www.aws-blog.de
http://www.die-flexperten.de
http://www.flexforum.de
http://www.flex.org

Aggregators
Aggregated by fullasagoog.com
Aggregated by MXNA

RSS
Short Mode | Full Mode

Herrlich & Ramuschkat