Flash / Flex Tutorial – How to Create a crossdomain.xml file.

Posted in Flash, Flex, quicktip at 7:28 am by Curtis J. Morley

Flash / Flex Tutorial - How to Create a crossdomain.xml file.

This brief tutorial will teach you how to create a crossdomain.xml file so that you can access files and information from outside domains and load files and data within your Flash / Flex apps. It is as simple as 4 easy steps.

  1. Create an xml file named crossdomain.xml. (XML can be created with Dreamweaver or just simply MS Notepad. Just make sure that you give it the '.xml ' extension on the end.)
  2. Copy and paste one of the code examples below into the XML file:
  3. Save the file.
  4. FTP / upload the file to the root directory of your website. (you should be able to see the file in a browser by typing the url www.yourwebsite.com/crossdomain.xml).

XML Code 1:
This is a typical crossdomain.xml file. Notice that I included my domain as well as my domain without the 'www' in front.

<?xml version="1.0"?><!DOCTYPE cross-domain-policySYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<allow-access-from domain="www.curtismorley.com" />
<allow-access-from domain="curtismorley.com" />

XML Code 2:
The follwing Code will allow all domains. This effectively eliminates any security that Flash would have otherwise had. I suggest that you don't use this example unless you enjoy security holes.

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<allow-access-from domain="*" />

XML Code 3:
The block of code below will explicitly disallow any and all access from any outside domain. As well, any domain that is not spelled exactly how the host domain is spelled will be blocked. This is the tighest cross domain security that you can employee.

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

XML Code 4:
The code below illustrates different uses of the '*' wildcard symbol. This is the crossdomain.xml file from Amazon.com The wildcard allows for any variation before '.amazon.com'. Amazon does this because of the public services and APIs that it allows others to connect to.

<allow-access-from domain="*.amazon.com"/>
<allow-access-from domain="amazon.com"/>
<allow-access-from domain="www.amazon.com"/>
<allow-access-from domain="pre-prod.amazon.com"/>
<allow-access-from domain="devo.amazon.com"/>
<allow-access-from domain="images.amazon.com"/>
<allow-access-from domain="anon.amazon.speedera.net"/>
<allow-access-from domain="*.amazon.ca"/>
<allow-access-from domain="*.amazon.de"/>
<allow-access-from domain="*.amazon.fr"/>
<allow-access-from domain="*.amazon.jp"/>
<allow-access-from domain="*.amazon.co.jp"/>
<allow-access-from domain="*.amazon.uk"/>
<allow-access-from domain="*.amazon.co.uk"/>

Creating a cross domain policy file is just that easy.

And Happy Flashing.

P.S. I highly suggest that you read one or all of the following articles on cross domain policy files and the Flash Player security sandbox,

Crossdomain Article by Colin Moock

Adobe Crossdomain Technote (this one is required reading)

Flash Player 9 Security Whitepaper

Adobe LiveDocs on Flash Player Security


  1. curtismorley.com » Flash CS3 / Flex 2 AS3 Error #2148 said,

    September 1, 2007 at 7:48 am

    […] domain policy or need help creating a crossdomain.xml file click the link and I will show you hhow to create a crossdomain.xml file.  View my tutorial on How to Create a crossdomain.xml file and visit the links on the bottom of […]

  2. Zapico said,

    April 9, 2008 at 4:20 pm

    Using ruby on rails to generate xml read by flash, and had this problem between different domain aliases. Solved with this!
    Thanks for the help!

  3. Curtis J. Morley said,

    April 11, 2008 at 3:05 pm


    Glad that I could help.


    Curtis J. Morley

  4. Brett Adam said,

    June 18, 2008 at 12:42 pm

    You should update this article with the new allow-http-request-headers-from directive, since it gets in the way of any attempt to use HTTP Basic Auth or SOAPAction headers when making cross domain requests.

    See my blog posting at http://verveguy.blogspot.com/2008/06/more-httpheader-madness.html for my own story around this particular gotcha.

  5. Ben Wesley said,

    June 26, 2008 at 1:49 pm

    First off, thanks for making this info available. I tried my best to wade through the Flash Player security white papers. I am just a coder, and we have no “administrator” perse. All I am doing is using the HTTPService method in Flex to hit a DNS within our firewall on our network here that serves up address correction data and sends it back to the app. When I run the app it works just fine if I hit the server running on my VMWare test instance on the same box as the app is running. However, I was worried I was going to get this type error thrown because in my research getting data moving, I saw this info you had out. So to test, all I did was take the .swf file and put it out on a different drive out on our network and run the app and sure enough it threw this cross domain error. I am not an expert on the definition of a “domain,” but I do understand it is a term that is used rather loosely, and could mean Windows, Novell, a .com site, or even other things. Regardless, Flash Player 9 is throwing the security errors. My production app will hit the following URL to get data back:
    without ever leaving our firewall.
    1) I guess I just need the following xml script:

    2)since I have no “site” per se, during testing and deployment, do I just put this file somewhere in the Flex project like .bin or what?
    Ben Wesley

  6. Ben Wesley said,

    June 26, 2008 at 2:20 pm

    I tried putting the crossdomain.xml file in my main project directory and it still threw the error.

  7. Garuna Web Designer » Blog Archive » How to Create a crossdomain.xml file. said,

    August 22, 2008 at 5:56 am

    […] how to Create a crossdomain.xml file […]

  8. Mike said,

    August 26, 2008 at 2:03 am


    Is there a way to allow anyone to access one file?

    Ie rather than having it set for 1 site to access any swf, the reverse any sites can access 1 file in particular?



  9. Jeetendra said,

    October 21, 2008 at 9:59 pm

    It is a good tutorial, i like it so much , actually i was facing problem with cross domain and it solve my problem , thanx a lot

  10. Ronny said,

    October 30, 2008 at 4:22 am

    How can one test this and on local host before deployment? In a Eclipse Maven project


  11. hinderberg.() » Hovedprosjekt: Starte med flex said,

    January 18, 2009 at 1:07 pm

    […] Grunnen til at jeg ikke merket dette før programmet var “ferdig” var at i debug-mode så er ikke kravet om crossdomain.xml innført. Det var først da jeg sendte programmet til Tore (skolekamerat) at jeg merket at noe var feil. For dere som ønsker å få tilgang til til filer og informasjon utenfor domenet som din flex app kjører så les mer om hvordan her: Flash / Flex Tutorial – How to Create a crossdomain.xml file. […]

  12. Developing a Flex WebService client « My experiments with technology said,

    February 3, 2009 at 8:59 am

    […] To learn more about features and how to fine-tune your cross domain access refer to this blog. […]

  13. Michael Cole said,

    March 28, 2009 at 4:28 pm

    Thanks Curtis for the great tip. I have been going around with this for a while.


  14. haris raheem said,

    May 7, 2009 at 9:46 pm

    thanks for good article, i just copied your text, pasted in xml file and uploaded to my site root.

    it worked nicely. thnaks again

  15. Neil Kolban said,

    May 11, 2009 at 6:11 pm

    Thank you sir … great posting.

  16. judah’s blog » Blog Archive » Security error accessing url said,

    June 7, 2009 at 5:15 pm

    […] – Add a cross domain policy file on the domain you are calling. Your swf can access resources on other domains if the other domain grants your permission. They do this through a cross-domain file. This is a simple xml file on the other domain (yes, they have to set it up) that says what domains can access what content. Some sites already have cross-domain policy files setup. Here is an example. More info here… […]

  17. Pranav said,

    October 28, 2009 at 3:12 am

    Hi all,
    Thanks for this information about crossdomain policy in Flash/Flex.
    I implemented crossdomain.xml solution.
    But still Flex is giving me
    [RPC Fault faultString=”Security error accessing url” faultCode=”Channel.Security.Error” faultDetail=”Destination: DefaultHTTP”]

    Can somebody help me on this issue?

    Thanks in Advance

  18. salawank said,

    November 3, 2009 at 2:04 am


    fix 1 works great with me 🙂

  19. Adriaan Wormgoor said,

    December 2, 2009 at 7:01 am

    Hey Curtis,

    Thanks for this, exactly what I was looking for.

  20. thamps said,

    March 14, 2010 at 5:27 pm

    Thank a lot for a very simple explanation. But i have a few questions on this.

    1. if a.com wants to send a xmlHttprequest to b.com then the crossdomian.xml should be there in a.com or on b.com?
    2. In above mentioned scenario, if a.com has to keep crossdomain.xml with allow-access-from domain=”b.com”. Then can b.com access any resources from a.com? Will there be any security vulnerability?

  21. links for 2010-04-28 | andy.edmonds.be said,

    April 28, 2010 at 5:06 pm

    […] curtismorley.com » Flash / Flex Tutorial – How to Create a crossdomain.xml file. (tags: flash crossdomain flex security xml) This was written by andy. Posted on Thursday, April 29, 2010, at 1:06 am. Filed under Delicious. Bookmark the permalink. Follow comments here with the RSS feed. Post a comment or leave a trackback. […]

  22. LearningAPI » Flash crossdomain security issues said,

    May 2, 2010 at 12:33 pm

    […] The solution is to add a crossdomain.xml file to the root directory of the web server that hosts the XML file. There’s official Adobe docs on crossdomain policy files, and here’s a pretty good tutorial on crossdomain.xml files. […]

  23. Sidney de Koning said,

    January 5, 2011 at 6:12 am

    Hi Curtis,

    The code is XML Code 1 is throwing an error because there needs to be a space between cross-domain-policy and SYSTEM. Now its cross-domain-policySYSTEM .

    Take care,


  24. good cross domain info as3 « MisterSaisho.com said,

    March 21, 2011 at 10:54 pm

    […] MisterSaisho on Mar.22, 2011, under Uncategorized http://curtismorley.com/2007/09/01/flash-flex-tutorial-how-to-create-a-crossdomainxml-file/ Print window.fbAsyncInit = function() { FB.init({ appId: '136642053037999', status: […]

  25. Tobias Ernst said,

    April 16, 2011 at 1:32 am

    Thank you, really nice tutorial.

    Kind regards

    Tobias Ernst

  26. Luc Langouet said,

    November 1, 2011 at 11:40 am


    Thank you very much. It solved my problem. I could not understand why IE did not give me any error, when Chrome and Safary did not work.


  27. chidambaram said,

    November 17, 2011 at 4:56 am

    am new to flex, now only i am learning to flex please help me. I am new employee to the software industry. i am very nervous. please anybody help me ” if you have time ” this is very urgent for me. This is my small request.


  28. starfall said,

    May 22, 2012 at 6:15 pm

    When you say a security, did you mean that any crossdomain is not allowed to visits your site? I have flash games site which I really need a proper crossdomain.xml. Which XML code exactly do you recommend? I’m a little bit confused about crossdomain.xml. Kindly help.

  29. neha said,

    June 18, 2012 at 9:40 pm

    how i will get xml file if i want to access data from any website?

  30. Giant Geek Blog » crossdomain.xml said,

    November 29, 2012 at 5:53 pm

    […] http://curtismorley.com/2007/09/01/flash-flex-tutorial-how-to-create-a-crossdomainxml-file/ […]

Leave a Comment