asdg>> technotes>> cross domain policy files

Version: Flash Player 7
Date Added: September 10, 2003

The purpose of this technote is to highlight new security restrictions in Flash Player 7 that can:

  • cause a warning dialog to appear when playing Flash Player 6 and older format .swf files
  • cause data loading to fail in Flash Player 7 format .swf files.

This technote gives a brief overview of the issue, and outlines the most common way to fix the problem. For an excellent, exhaustive, and much deeper consideration of this topic, see Deneb Meketa's devnet article, Security Changes in Macromedia Flash Player 7 (Deneb is the engineer who actually implemented the security changes).


Flash Player 6 introduced a security sandbox that implemented the following restrictions:

  • a movie posted on one domain is prevented from loading data from another domain
  • a movie posted on one domain is prevented from accessing the properties or methods of a movie loaded from another domain

Flash Player 7 tightens the security sandbox. In Flash Player 6, subdomains of the same parent domain could access each other's data. In Flash Player 7, data can only be accessed via the exact same domain from which the movie was loaded. For example, Flash Player 6 will allow a movie posted on games.moock.org to load an XML file from news.moock.org. But in Flash Player 7, that load attempt would fail.

Here's another, more serious example: in Flash Player 7 if you access a site with a shortened URL, such as "http://yoursite.com" (no "www"), movies on that site will not be able to load data from the site's full URL, "www.yoursite.com". This limitation affects Flash Player 6 format .swf files as well as Flash Player 7 format .swf files. If the .swf file is in Flash Player 6 (or earlier) format, then Flash Player 7 will display a warning dialog asking the visitor to allow the movie to access the external domain.

To automatically give a movie loaded from yoursite.com access to data on www.yoursite.com, you must use a cross-domain policy file. The following steps describe how the owner of yoursite.com would add a cross-domain policy file to her site, thus allowing data to flow from yoursite.com to www.yoursite.com, and vice versa.

  1. Create a new text file named crossdomain.xml.
  2. Open crossdomain.xml in a text editor.
  3. Add the following XML code to the file:
    <?xml version="1.0"?>
    <!DOCTYPE cross-domain-policy 
      SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
    <cross-domain-policy>
      <allow-access-from domain="www.yoursite.com" />
      <allow-access-from domain="yoursite.com" />
    </cross-domain-policy>
  4. Save the file.
  5. Upload the file to the root directory of yoursite.com (so that the file can be accessed at http://www.yoursite.com/crossdomain.xml).
If you host Flash content that loads XML or variables or connects to an XMLSocket server, you should follow the above steps for your own site, substituting your site's domain for "yoursite.com" in the instructions. If your site loads data using an absolute url, but does not have a cross-domain policy file, visitors using Flash Player 7 will see a security alert! Note, however, that if you load data off your own site with a relative URL (e.g., ../newsfeed.xml vs http://yoursite.com/newsfeed.xml), the security alert will not appear because the relative URL will resolve to the domain used to view the site (either yoursite.com or www.yoursite.com).

The above technique can be used to give any external domain access to a site's data. For example, to give all movies posted at any subdomain of moock.org access to data on yoursite.com, we'd change the XML code in step 3 to:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy 
  SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
  <allow-access-from domain="www.yoursite.com" />
  <allow-access-from domain="yoursite.com" />
  <allow-access-from domain="*.moock.org" />
</cross-domain-policy>

Once the above policy file is posted on yoursite.com's web root, all movies on moock.org (including www.moock.org, games.moock.org, etc) have access to yoursite.com's data. (Note the use of the wildcard "*" character in the policy file.)

A public web service provider such as amazon.com or google.com could allow any Flash movie to access its data using the following cross-domain policy file (again, note the wildcard):

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy 
  SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
  <allow-access-from domain="*" />
</cross-domain-policy>

If you run an XMLSocket server such as Unity, you must also use a cross-domain policy file so that movies on your site can connect to the server whether they are loaded via www.yoursite.com or yoursite.com. The cross-domain policy file must be served via HTTP from the same domain as the XMLSocket server. For example, if you are running a socket server on moock.org, then you must run a web server on moock.org with the following cross-domain policy file on the web server's document root:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy 
  SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
  <allow-access-from domain="www.moock.org" />
  <allow-access-from domain="moock.org" />
</cross-domain-policy>

Without that policy file, attempts to connect to the socket server at moock.org from a movie loaded from www.moock.org will fail.

Note that cross-domain policy files do not affect the ability to script a loaded movie. That aspect of Flash Player security is still controlled by System.security.allowDomain and the new System.security.allowInsecureDomain. See Security Restrictions for Cross-Movie Scripting.

For more information on cross-domain policy files, see the following Macromedia technotes:

See also the Macromedia Flash 2004 help, under "ActionScript Reference Guide > Working with External Data > Flash Player security features > About allowing cross-domain loading".