Basic crossdomain policy files

Posted: 29/05/09

An image of Basic crossdomain policy files

When a SWF wants to load data from the same domain, or a domain other than the one it was served from, the server on which the data resides needs to have a crossdomain.xml policy file. The policy file is a simple XML document that defines the domains from which SWFs are permitted to load data from this domain. Before Flash Player runtime calls the service end-point (be that a simple XML file, or RESTful web service), it will check for the presence of a crossdomain.xml file, and whether that file contains a policy that will permit access to the requesting SWF. If no file is found, or a policy doesn’t exist, a security exception will be thrown by the Flash Player runtime, and the data will not be loaded.

The policy file typically lives in the HTML root of the domain on which it is to be applied. For example, for my site it lives at http://mysite.com/crossdomain.xml. Policy files should not be placed in sub-directories on a domain, as they won’t do anything, as the Flash Player runtime won’t know to look for them there. It’s also worth noting that you will need a separate policy file for subdomains that you want SWFs to be able to load data from – if you don’t set the permitted-cross-domain-policies to master-only. So, http://services.mysite.com would need a crossdomain.xml file at http://services.mysite.com/crossdomain.xml, even if there is one at http://mysite.com/crossdomain.xml.

Here’s a really simple example:

<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

<allow-access-from domain=”*.jodieorourke.co.uk”/>

<site-control permitted-cross-domain-policies=”master-only”/>

</cross-domain-policy>

The first line is a document type declaration, that specifies the location of a Document Type Definition file (DTD). This is a file that defines the relationship that some of the elements and properties can have. This one is provided by Adobe, and you don’t really need to worry much more about it.

The second line the wrapper in which all policy elements will be declared. Your crossdomain.xml document should always have these as the outermost tags.

The third line is a Policy. Here I am stating that SWFs from anything (*) .jodieorourke.com may load data from the domain on which this crossdomain.xml resides. All other domains will not be allowed to load data from this domain.

The fourth line is a new addition; something Adobe introduced in the later versions of Flash Player 9, and now rigorously enforced. It’s a policy for your cross domain policies, and essentially governs whether there are one or multiple policy files operating on the domain and sub-domains. If you specify all all domain roots need a policy file before Flash Player can load data from them. If you specify master-only, only the master domain needs a policy file, and Flash Player will check here even when trying to load data from sub-domains.

You might want to allow multiple domains to be able to access your data and services. Simply add another policy:

<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

<site-control permitted-cross-domain-policies=”master-only”/>

<allow-access-from domain=”*.jodieorourke.co.uk”/>

<allow-access-from domain=”*.anothersite.com”/>

</cross-domain-policy>

It’s also quite possible that you’ll need to be able to send HTTP headers to the server (particularly if you’re calling REST or SOAP services). By default, other domains are prevented from doing this, unless they allow them in your policy file. Here’s how:

<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

<site-control permitted-cross-domain-policies=”master-only”/>

<allow-access-from domain=”*.jodieorourke.co.uk”/>

<allow-access-from domain=”*.anothersite.com”/>

<allow-http-request-headers-from domain=”*.jodieorourke.co.uk”/>

</cross-domain-policy>

You may also want to ensure that the SWF requesting the service is secured and has been delivered through HTTPS. This can be done by adding the secure attribute to an allow-access-from policy:

<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

<site-control permitted-cross-domain-policies=”master-only”/>

<allow-access-from domain=”*.jodieorourke.co.uk” secure=”true”/>

</cross-domain-policy>

The above example would allow any SWF from the jodieorourke.co.uk domain, or sub-domain under it, to send HTTP headers to any service running on the domain on which this policy file resides.

These examples will address the majority of scenarios when you want a SWF to load data from a server. There are more advanced scenarios requiring extra policies and permissions (such as sockets) that I will try to cover in an advanced part of this article later.

Keywords for this post: flash player, cross domain, crossdomain.xml, policy file, site control