In this section, you will learn about the Flash Player security restrictions as they apply to loading external data, and how the restrictions can be bypassed.
By default, a SWF file can load external data only from the domain on which it resides. In other words, a SWF file running within the Web page at www.electrotank.com/addressbook.html could not load the XML file at www.derekfranklin.com/addresses.xml because the running SWF file and the file it's attempting to load are not on the same domain. However, the domain derekfranklin.com can give permission to SWF files that exist on electrotank.com by using a policy file, allowing those SWF files to load and use content from the derekfranklin.com domain. You will learn more about policy files later in this lesson, but you should understand what the Flash Player considers to be a different domain.
The Flash Player uses exact domain matching to determine whether a Flash file and external data source are on the same domain. A subdomain of a domain is not considered the same domain as its parent. For example, store.electrotank.com is not considered the same domain as games.electrotank.com, and www.electrotank.com is not the same as electrotank.com. If the two domain names don't look exactly alike, letter for letter, they're mismatched, and data exchange is not permitted without being granted access via a policy file.
A policy file is an XML-formatted file that usually sits in the root directory of a domain. When a SWF file attempts to load data from another domain, the Flash Player checks the destination domain for a policy file. If a policy file exists, the Flash Player loads it and checks whether the origin domain is granted access. If the origin domain is granted access, the Flash Player loads the requested data; otherwise, it doesn't.
The loading of the policy file is transparent to the user. It happens in the background without any special ActionScript coding.
The following is the format of a policy file:
<cross-domain-policy> <allow-access-from domain="www.derekfranklin.com" /> <allow-access-from domain="www.electrotank.com" /> <allow-access-from domain="22.214.171.124" /> </cross-domain-policy>
If the XML were saved to a file called crossdomain.xml and uploaded to the root directory of www.gamebook.net, Flash files on www.derekfranklin.com, Flash files on www.electrotank.com, and the IP 126.96.36.199 would be granted access to load data from gamebook.net.
A policy file for a domain must always be named crossdomain.xml and must exist in the root directory of the domain.
The crossdomain.xml file would not grant access to an SWF file on store.electrotank.com because it doesn't exactly match the authorized domain.
The crossdomain.xml file supports wildcards. If you wanted your policy file to allow all subdomains of electrotank.com, you would use an asterisk in the policy file code as follows:
<cross-domain-policy> <allow-access-from domain="*.electrotank.com" /> </cross-domain-policy>
If you wanted to grant access to all domains everywhere, here is how you would set up the policy file:
<cross-domain-policy> <allow-access-from domain="*" /> </cross-domain-policy>
Policy files don't have to be located in the server root directory; they can exist in a custom location. When a policy file is in a custom location, the Flash Player will not automatically look for it because it does not know where to look. To load a policy file from a custom location, the following line of ActionScript is needed:
System.security.loadPolicyFile("http://www.myDomain.com/dir1/dir2/ ¬ crossdomain.xml");