Flash CS3 Documentation

Learning ActionScript 2.0 in Adobe Flash > Understanding Security > Server-side policy files for permitting access to data > About XMLSocket policy files

About XMLSocket policy files

For an XMLSocket connection attempt, Flash Player 7 (7.0.14.0) looked for crossdomain.xml on an HTTP server on port 80 in the subdomain to which the connection attempt was being made. Flash Player 7 (7.0.14.0) and all earlier versions restricted XMLSocket connections to ports 1024 and above. However, in Flash Player 7 (7.0.19.0) and later, ActionScript can inform Flash Player of a nondefault location for a policy file using System.security.loadPolicyFile. Any custom locations for XMLSocket policy files must still be on an XML socket server.

In the following example, Flash Player retrieves a policy file from a specified URL:

System.security.loadPolicyFile("http://www.adobe.com/folder/policy.xml");

Any permissions granted by the policy file at that location apply to all content at the same level or below in the server's hierarchy. Therefore, if you try to load the following data, you discover you can only load data from certain locations:

myLoadVars.load("http://www.adobe.com/folder/vars.txt"); // allowed
myLoadVars.load("http://www.adobe.com/folder/dir/vars2.txt"); // allowed
myLoadVars.load("http://www.adobe.com/elsewhere/vars3.txt"); // not allowed

To work around this, you can load more than one policy file into a single SWF file using loadPolicyFile. Flash Player always waits for the completion of any policy file downloads before denying a request that requires a policy file. Flash Player consults the default location of crossdomain.xml if no other policies were authorized in the SWF file.

Special syntax allows policy files to be retrieved directly from an XMLSocket server:

System.security.loadPolicyFile("xmlsocket://adobe.com:414");

In this example, Flash Player tries to retrieve a policy file from the specified host and a port. Any port can be used if the policy file is not in the default (root) directory; otherwise the port is limited to 1024 and higher (as with earlier players). When a connection is established to the specified port, Flash Player sends <policy-file-request />, terminated by a null byte.

The XML socket server might be configured to serve policy files in the following ways:

• To serve policy files and normal socket connections over the same port. The server should wait for <policy-file-request /> before transmitting a policy file.
• To serve policy files over a separate port from normal connections, in which case it might send a policy file as soon as a connection is established on the dedicated policy file port.

The server must send a null byte to terminate a policy file before it closes the connection. If the server does not close the connection, Flash Player does so upon receiving the terminating null byte.

A policy file served by an XML socket server has the same syntax as any other policy file, except that it must also specify the ports to which access is granted. The allowed ports are specified in a to-ports attribute in the <allow-access-from> tag. If a policy file is less than port 1024, it can grant access to any port; when a policy file comes from port 1024 or higher, it can grant access only to other ports above 1024. Single port numbers, port ranges, and wildcards are allowed. The following code is an example of an XMLSocket policy file:

<cross-domain-policy>
<allow-access-from domain="*" to-ports="507" />
<allow-access-from domain="*.adobe.com" to-ports="507,516" />
<allow-access-from domain="*.helpexamples.com" to-ports="516-523" />
<allow-access-from domain="www.adobe.com" to-ports="507,516-523" />
<allow-access-from domain="www.helpexamples.com" to-ports="*" />
</cross-domain-policy>

Because the ability to connect to ports lower than 1024 is available in Flash Player 7 (7.0.19.0) and later, a policy file loaded with loadPolicyFile is always required to authorize this, even when a SWF file is connecting to its own subdomain.

Flash CS3