09.01.07
Flash / Flex Tutorial - How to Create a crossdomain.xml file.
Flash / Flex Tutorial - How to Create a crossdomain.xml file.
This brief tutorial will teach you how to create a crossdomain.xml file so that you can access files and information from outside domains and load files and data within your Flash / Flex apps. It is as simple as 4 easy steps.
- Create an xml file named crossdomain.xml. (XML can be created with Dreamweaver or just simply MS Notepad. Just make sure that you give it the '.xml ' extension on the end.)
- Copy and paste one of the code examples below into the XML file:
- Save the file.
- FTP / upload the file to the root directory of your website. (you should be able to see the file in a browser by typing the url www.yourwebsite.com/crossdomain.xml).
XML Code 1:
This is a typical crossdomain.xml file. Notice that I included my domain as well as my domain without the 'www' in front.
<?xml version="1.0"?><!DOCTYPE cross-domain-policySYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="www.curtismorley.com" />
<allow-access-from domain="curtismorley.com" />
</cross-domain-policy>
XML Code 2:
The follwing Code will allow all domains. This effectively eliminates any security that Flash would have otherwise had. I suggest that you don't use this example unless you enjoy security holes.
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
XML Code 3:
The block of code below will explicitly disallow any and all access from any outside domain. As well, any domain that is not spelled exactly how the host domain is spelled will be blocked. This is the tighest cross domain security that you can employee.
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
</cross-domain-policy>
XML Code 4:
The code below illustrates different uses of the '*' wildcard symbol. This is the crossdomain.xml file from Amazon.com The wildcard allows for any variation before '.amazon.com'. Amazon does this because of the public services and APIs that it allows others to connect to.
<cross-domain-policy>
<allow-access-from domain="*.amazon.com"/>
<allow-access-from domain="amazon.com"/>
<allow-access-from domain="www.amazon.com"/>
<allow-access-from domain="pre-prod.amazon.com"/>
<allow-access-from domain="devo.amazon.com"/>
<allow-access-from domain="images.amazon.com"/>
<allow-access-from domain="anon.amazon.speedera.net"/>
<allow-access-from domain="*.amazon.ca"/>
<allow-access-from domain="*.amazon.de"/>
<allow-access-from domain="*.amazon.fr"/>
<allow-access-from domain="*.amazon.jp"/>
<allow-access-from domain="*.amazon.co.jp"/>
<allow-access-from domain="*.amazon.uk"/>
<allow-access-from domain="*.amazon.co.uk"/>
</cross-domain-policy>
Creating a cross domain policy file is just that easy.
And Happy Flashing.
P.S. I highly suggest that you read one or all of the following articles on cross domain policy files and the Flash Player security sandbox,
Crossdomain Article by Colin Moock
Adobe Crossdomain Technote (this one is required reading)
Flash Player 9 Security Whitepaper
curtismorley.com » Flash CS3 / Flex 2 AS3 Error #2148 said,
September 1, 2007 at 7:48 am
[...] domain policy or need help creating a crossdomain.xml file click the link and I will show you hhow to create a crossdomain.xml file. View my tutorial on How to Create a crossdomain.xml file and visit the links on the bottom of [...]
Zapico said,
April 9, 2008 at 4:20 pm
Using ruby on rails to generate xml read by flash, and had this problem between different domain aliases. Solved with this!
Thanks for the help!
Curtis J. Morley said,
April 11, 2008 at 3:05 pm
Zapico,
Glad that I could help.
Thanks,
Curtis J. Morley
Brett Adam said,
June 18, 2008 at 12:42 pm
You should update this article with the new allow-http-request-headers-from directive, since it gets in the way of any attempt to use HTTP Basic Auth or SOAPAction headers when making cross domain requests.
See my blog posting at http://verveguy.blogspot.com/2008/06/more-httpheader-madness.html for my own story around this particular gotcha.
Ben Wesley said,
June 26, 2008 at 1:49 pm
Curtiss,
First off, thanks for making this info available. I tried my best to wade through the Flash Player security white papers. I am just a coder, and we have no “administrator” perse. All I am doing is using the HTTPService method in Flex to hit a DNS within our firewall on our network here that serves up address correction data and sends it back to the app. When I run the app it works just fine if I hit the server running on my VMWare test instance on the same box as the app is running. However, I was worried I was going to get this type error thrown because in my research getting data moving, I saw this info you had out. So to test, all I did was take the .swf file and put it out on a different drive out on our network and run the app and sure enough it threw this cross domain error. I am not an expert on the definition of a “domain,” but I do understand it is a term that is used rather loosely, and could mean Windows, Novell, a .com site, or even other things. Regardless, Flash Player 9 is throwing the security errors. My production app will hit the following URL to get data back:
zp4.glo.state.tx.us
without ever leaving our firewall.
1) I guess I just need the following xml script:
2)since I have no “site” per se, during testing and deployment, do I just put this file somewhere in the Flex project like .bin or what?
Sincerely,
Ben Wesley
Ben Wesley said,
June 26, 2008 at 2:20 pm
Curtiss,
I tried putting the crossdomain.xml file in my main project directory and it still threw the error.
Thanks,
Ben
Garuna Web Designer » Blog Archive » How to Create a crossdomain.xml file. said,
August 22, 2008 at 5:56 am
[...] how to Create a crossdomain.xml file [...]
Mike said,
August 26, 2008 at 2:03 am
Curtis,
Is there a way to allow anyone to access one file?
Ie rather than having it set for 1 site to access any swf, the reverse any sites can access 1 file in particular?
thanks
Mike