loadPolicyFile (security.loadPolicyFile method) -- Flash CS3

public static loadPolicyFile(url:String) : Void

Loads a cross-domain policy file from a location specified by the url parameter. Flash Player uses policy files as a permission mechanism to permit SWF files to load data from servers other than their own.

Flash Player 7.0.14.0 looked for policy files in only one location: /crossdomain.xml on the server to which a data-loading request was being made. For an XMLSocket connection attempt, Flash Player 7.0.14.0 looked for /crossdomain.xml on an HTTP server on port 80 in the subdomain to which the XMLSocket connection attempt was being made. Flash Player 7.0.14.0 (and all earlier players) also restricted XMLSocket connections to ports 1024 and later.

With the addition of System.security.loadPolicyFile(), Flash Player 7.0.19.0 can load policy files from arbitrary locations, as shown in the following example:

 System.security.loadPolicyFile("http://foo.com/sub/dir/pf.xml");

This causes Flash Player to retrieve a policy file from the specified URL. Any permissions granted by the policy file at that location will apply to all content at the same level or lower in the virtual directory hierarchy of the server. The following code continues the previous example:

 loadVariables("http://foo.com/sub/dir/vars.txt") // allowed
 loadVariables("http://foo.com/sub/dir/deep/vars2.txt") // allowed
 loadVariables("http://foo.com/elsewhere/vars3.txt") // not allowed

You can use loadPolicyFile() to load any number of policy files. When considering a request that requires a policy file, Flash Player always waits for the completion of any policy file downloads before denying a request. As a final fallback, if no policy file specified with loadPolicyFile() authorizes a request, Flash Player consults the original default location, /crossdomain.xml.

Using the xmlsocket protocol along with a specific port number, lets you retrieve policy files directly from an XMLSocket server, as shown in the following example:

 System.security.loadPolicyFile("xmlsocket://foo.com:414");

This causes Flash Player to attempt to retrieve a policy file from the specified host and port. Any port can be used, not only ports 1024 and higher. Upon establishing a connection with the specified port, Flash Player transmits <policy-file-request />, terminated by a null byte. An XMLSocket server can be configured to serve both policy files and normal XMLSocket connections over the same port, in which case the server should wait for <policy-file-request /> before transmitting a policy file. A server can also be set up to serve policy files over a separate port from standard connections, in which case it can send a policy file as soon as a connection is established on the dedicated policy file port. The server must send a null byte to terminate a policy file, and may thereafter close the connection; if the server does not close the connection, Flash Player does so upon receiving the terminating null byte.

A policy file served by an XMLSocket server has the same syntax as any other policy file, except that it must also specify the ports to which access is granted. When a policy file comes from a port lower than 1024, it can grant access to any ports; when a policy file comes from port 1024 or higher, it can grant access only to other ports 1024 and higher. The allowed ports are specified in a "to-ports" attribute in the <allow-access-from> tag. Single port numbers, port ranges, and wildcards are all allowed. The following example shows an XMLSocket policy file:

 <cross-domain-policy>
 <allow-access-from domain="*" to-ports="507" />
 <allow-access-from domain="*.foo.com" to-ports="507,516" />
 <allow-access-from domain="*.bar.com" to-ports="516-523" />
 <allow-access-from domain="www.foo.com" to-ports="507,516-523" />
 <allow-access-from domain="www.bar.com" to-ports="*" />
 </cross-domain-policy>

A policy file obtained from the old default location--/crossdomain.xml on an HTTP server on port 80--implicitly authorizes access to all ports 1024 and above. There is no way to retrieve a policy file to authorize XMLSocket operations from any other location on an HTTP server; any custom locations for XMLSocket policy files must be on an XMLSocket server.

Because the ability to connect to ports lower than 1024 is new, a policy file loaded with loadPolicyFile() must always authorize this connection, even when a movie clip is connecting to its own subdomain.

Parameters

url:String - A string; the URL where the cross-domain policy file to be loaded is located.