Cross Domain Policy

Every Flash or Flex developer who has had to access remote resources has come across a crossdomain.xml policy file at some point.

What is a Cross Domain Policy File?

The security model known as the “same origin” policy, implemented by most modern web browsers, prevents some types of content from being accessed or modified if the file exists on another domain. It’s not a hard and fast rule; HTML pages will happily display images and HTML from pages on other domains. But for JavaScript the same origin policy prevents a document or script loaded from one origin from getting or setting properties of a document from another.

Flash includes a similar security policy which generally prevents a Flash application from accessing data that is hosted on a remote domain. However there are many circumstances where it is not only useful but expected that resources will be accessed remotely. An online photo album would find itself limited if external applications could not download its images. It would also be silly if a web service didn’t allow outside applications to interact with it.

For this reason it’s possible to create an XML file, called crossdomain.xml, that specifies how data on a domain can be accessed by a Flash application hosted on a remote domain. For the most part these policy files are quite simple, but there are a few details that it is useful to be aware of.

If you are hosting content that you want to be accessed by external Flash applications, you will need to create a crossdomain.xml file. Let’s start by taking a look at a basic example.

A Basic crossdomain.xml File

Here is a very simple crossdomain.xml file. When this file is hosted on the root of your domain it permits external Flash applications access to all the resources on your domain.

  1. <?xml version=”1.0″?>
  2. <cross-domain-policy>
  3. <allow-access-from domain=”*” />
  4. </cross-domain-policy>

The policy file contains a single <cross-domain-policy> tag. Inside this you can have zero or more<allow-access-from> tags. Each <allow-access-from> tag can be used to define a domain or IP address from which a Flash application can access the local resources. The attribute domain=”*” specifies that all domains have access. This is thanks to the asterisk wildcard, which is used here to match all domains and IP addresses.

For most situations this “allow all” policy file is sufficient. It grants Flash applications access to all pubic resources, while any security you have in place (like password protected pages) will still prevent Flash applications from accessing sensitive data.

(Note that you cannot put a crossdomain.xml file on your domain that will allow SWFs also on your domain to access remote files on another domain!)

Specified Domains

If you do not want to allow global access to your public resources, the domain attribute in the <allow-access-from> tag can be used to grant access to specific domains.

You can specify a domain in its entirety. The example below will give access to Flash applications hosted in the domain.

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "">
<!--Generic policy file for flex app access, it should be made more restrictive -->
  <site-control permitted-cross-domain-policies="all"/>
  <allow-access-from domain="" />
  <allow-access-from domain="" />