Flash / Flex Tutorial – How to Create a crossdomain.xml file.

Posted on by

Flash / Flex Tutorial – How to Create a crossdomain.xml file.

This brief tutorial will teach you how to create a crossdomain.xml file so that you can access files and information from outside domains and load files and data within your Flash / Flex apps. It is as simple as 4 easy steps.

  1. Create an xml file named crossdomain.xml. (XML can be created with Dreamweaver or just simply MS Notepad. Just make sure that you give it the ‘.xml ‘ extension on the end.)
  2. Copy and paste one of the code examples below into the XML file:
  3. Save the file.
  4. FTP / upload the file to the root directory of your website. (you should be able to see the file in a browser by typing the url www.yourwebsite.com/crossdomain.xml).

XML Code 1:
This is a typical crossdomain.xml file. Notice that I included my domain as well as my domain without the ‘www’ in front.

<?xml version=”1.0″?><!DOCTYPE cross-domain-policySYSTEM “http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd”>
<cross-domain-policy>
<allow-access-from domain=”www.curtismorley.com” />
<allow-access-from domain=”curtismorley.com” />
</cross-domain-policy>

XML Code 2:
The follwing Code will allow all domains. This effectively eliminates any security that Flash would have otherwise had. I suggest that you don’t use this example unless you enjoy security holes.

<?xml version=”1.0″?>
<!DOCTYPE cross-domain-policy SYSTEM “http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd”>
<cross-domain-policy>
<allow-access-from domain=”*” />
</cross-domain-policy>

XML Code 3:
The block of code below will explicitly disallow any and all access from any outside domain. As well, any domain that is not spelled exactly how the host domain is spelled will be blocked. This is the tighest cross domain security that you can employee.

<?xml version=”1.0″?>
<!DOCTYPE cross-domain-policy SYSTEM “http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd”>
<cross-domain-policy>
</cross-domain-policy>

XML Code 4:
The code below illustrates different uses of the ‘*’ wildcard symbol. This is the crossdomain.xml file from Amazon.com The wildcard allows for any variation before ‘.amazon.com’. Amazon does this because of the public services and APIs that it allows others to connect to.

<cross-domain-policy>
<allow-access-from domain=”*.amazon.com”/>
<allow-access-from domain=”amazon.com”/>
<allow-access-from domain=”www.amazon.com”/>
<allow-access-from domain=”pre-prod.amazon.com”/>
<allow-access-from domain=”devo.amazon.com”/>
<allow-access-from domain=”images.amazon.com”/>
<allow-access-from domain=”anon.amazon.speedera.net”/>
<allow-access-from domain=”*.amazon.ca”/>
<allow-access-from domain=”*.amazon.de”/>
<allow-access-from domain=”*.amazon.fr”/>
<allow-access-from domain=”*.amazon.jp”/>
<allow-access-from domain=”*.amazon.co.jp”/>
<allow-access-from domain=”*.amazon.uk”/>
<allow-access-from domain=”*.amazon.co.uk”/>
</cross-domain-policy>

Creating a cross domain policy file is just that easy.

And Happy Flashing.

P.S. I highly suggest that you read one or all of the following articles on cross domain policy files and the Flash Player security sandbox,

Crossdomain Article by Colin Moock

Adobe Crossdomain Technote (this one is required reading)

Flash Player 9 Security Whitepaper

Adobe LiveDocs on Flash Player Security

30 thoughts on “Flash / Flex Tutorial – How to Create a crossdomain.xml file.

  1. Pingback: Giant Geek Blog » crossdomain.xml

  3. When you say a security, did you mean that any crossdomain is not allowed to visits your site? I have flash games site which I really need a proper crossdomain.xml. Which XML code exactly do you recommend? I’m a little bit confused about crossdomain.xml. Kindly help.

  4. Hi,
    am new to flex, now only i am learning to flex please help me. I am new employee to the software industry. i am very nervous. please anybody help me ” if you have time ” this is very urgent for me. This is my small request.

    Regards
    chidambaram

  5. Curtis,

    Thank you very much. It solved my problem. I could not understand why IE did not give me any error, when Chrome and Safary did not work.

    Luc

  7. Pingback: good cross domain info as3 « MisterSaisho.com

  8. Hi Curtis,

    The code is XML Code 1 is throwing an error because there needs to be a space between cross-domain-policy and SYSTEM. Now its cross-domain-policySYSTEM .

    Take care,

    Sidney

  9. Pingback: LearningAPI » Flash crossdomain security issues

  10. Pingback: links for 2010-04-28 | andy.edmonds.be

  11. Thank a lot for a very simple explanation. But i have a few questions on this.

    1. if a.com wants to send a xmlHttprequest to b.com then the crossdomian.xml should be there in a.com or on b.com?
    2. In above mentioned scenario, if a.com has to keep crossdomain.xml with allow-access-from domain=”b.com”. Then can b.com access any resources from a.com? Will there be any security vulnerability?

  14. Hi all,
    Thanks for this information about crossdomain policy in Flash/Flex.
    I implemented crossdomain.xml solution.
    But still Flex is giving me
    [RPC Fault faultString=”Security error accessing url” faultCode=”Channel.Security.Error” faultDetail=”Destination: DefaultHTTP”]
    error.

    Can somebody help me on this issue?

    Thanks in Advance

  15. Pingback: judah’s blog » Blog Archive » Security error accessing url

  17. thanks for good article, i just copied your text, pasted in xml file and uploaded to my site root.

    it worked nicely. thnaks again

  19. Pingback: Developing a Flex WebService client « My experiments with technology

  20. Pingback: hinderberg.() » Hovedprosjekt: Starte med flex

  21. How can one test this and on local host before deployment? In a Eclipse Maven project

    Regards
    Ronny

  23. Curtis,

    Is there a way to allow anyone to access one file?

    Ie rather than having it set for 1 site to access any swf, the reverse any sites can access 1 file in particular?

    thanks

    Mike

  24. Pingback: Garuna Web Designer » Blog Archive » How to Create a crossdomain.xml file.

  26. Curtiss,
    First off, thanks for making this info available. I tried my best to wade through the Flash Player security white papers. I am just a coder, and we have no “administrator” perse. All I am doing is using the HTTPService method in Flex to hit a DNS within our firewall on our network here that serves up address correction data and sends it back to the app. When I run the app it works just fine if I hit the server running on my VMWare test instance on the same box as the app is running. However, I was worried I was going to get this type error thrown because in my research getting data moving, I saw this info you had out. So to test, all I did was take the .swf file and put it out on a different drive out on our network and run the app and sure enough it threw this cross domain error. I am not an expert on the definition of a “domain,” but I do understand it is a term that is used rather loosely, and could mean Windows, Novell, a .com site, or even other things. Regardless, Flash Player 9 is throwing the security errors. My production app will hit the following URL to get data back:
    zp4.glo.state.tx.us
    without ever leaving our firewall.
    1) I guess I just need the following xml script:

    2)since I have no “site” per se, during testing and deployment, do I just put this file somewhere in the Flex project like .bin or what?
    Sincerely,
    Ben Wesley

  29. Using ruby on rails to generate xml read by flash, and had this problem between different domain aliases. Solved with this!
    Thanks for the help!

  30. Pingback: curtismorley.com » Flash CS3 / Flex 2 AS3 Error #2148

Comments are closed.