Website controls (cross-domain policy files)

To make data from a web server available to SWF files from other domains,you can create a cross-domain policy file on your server. A cross-domain policy file is an XML file that provides a way for the server to indicate that its data and documents are available to SWF files served from certain domains or from all domains. Any SWF file that is served from a domain specified by the server ’s policy file is permitted to access data or assets from that server. Cross-domain policy files affect access to a number of assets,including the following:

Data in bitmaps,sounds,and videos
Loading XML and text files
Access to socket and XML socket connections
Importing SWF files from other security domains into the security domain of the loading
SWF file

Policy file syntax

The following example shows a policy file that permits access to SWF files that originate from *.marciorosa.com ,www.friendOfMarciorosa.com and 192.0.34.166 :

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*.marciorosa.com"/>
<allow-access-from domain="www.friendOfMarcioRosa.com"/>
<allow-access-from domain="192.0.34.166"/>
</cross-domain-policy>

When a SWF file attempts to access data from another domain,Flash Player automatically ttempts to load a policy file from that domain.If the domain of the SWF file that is attempting to access the ata is included in the policy file,the data is automatically accessible.

By default,policy files must be named crossdomain.xml and must reside in the root directory of the server.However,a SWF file can check for a different name or in a different directory location by calling the Security.loadPolicyFile()method.A cross-domain policy file applies only to the directory from which it is loaded and to its child directories.Soa policy file in the root directory applies to the whole server,but a policy file loaded from an arbitrary subdirectory applies only to that directory and its subdirectories.

A policy file affects access only to the particular server on which it resides.For example,a policy file located at https://www.adobe.com:8080/crossdomain.xml will apply only to data-loading calls made to www.adobe.com over HTTPS at port 8080.

A cross-domain policy file contains a single tag,which in turn contains zero or more tags.Each tag contains an attribute,domain ,which specifies either an exact IP address,an exact domain,or a wildcard domain (any domain).Wildcard domains are indicated by either a single asterisk (*), which matches all domains and all IP addresses,or an asterisk followed by a suffix,which matches only those domains that end with the specified suffix.Suffixes must begin with a dot. However,wildcard domains with suffixes can match domains that consist of only the suffix without the leading dot.For example,foo.com is considered to be part of *.foo.com. Wildcards are not allowed in IP domain specifications.

If you specify an IP address,access is granted only to SWF files loaded from that IP address using IP syntax (for example,http://65.57.83.12/flashmovie.swf ),not those loaded using domain-name syntax.Flash Player does not perform DNS resolution.

You can permit access to documents originating from any domain,as shown in the following example:

<?xml version="1.0"?>
<!--http://www.marciorosa.com/crossdomain.xml -->
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

Each tag also has the optional secure attribute,which defaults to true .You can set the attribute to false if your policy file is on an HTTPS server,and you want to allow SWF files on a non-HTTPS server to load data from the HTTPS server. Setting the secure attribute to false could compromise the security offered by HTTPS.In particular,setting this attribute to false opens secure content to snooping and spoofing attacks.Adobe strongly recommends that you not set the secure attribute to false .

If data to be loaded is on a HTTPS server,but the SWF file loading it is on an HTTP server, Adobe recommends that you move the loading SWF file to an HTTPS server so that you can keep all copies of your secure data under the protection of HTTPS.However,if you decide that you must keep the loading SWF file on an HTTP server,add the secure=”false” attribute to the allow-access-from>tag,as shown in the following code:

<allow-access-from domain="www.marciorosa.com"secure="false"/>

A policy file that contains no tags has the same effect as not having a policy on a server.