1

I have read a lot about the new policy-policy of flash player and also know the master policy file. Now image the following situation: There are two servers with services (http) running at custom ports

  • servera.com:2222/websiteA
  • serverb.com:3333/websiteB

Now I open a swf from server a (eg. servera.com:2222/websiteA/A.swf) that wants to access the service of serverb. Of course I need a crossdomain.xml at the right place and there are multiple variations possible. I dont want to use a master policy file, as I might not have control over the root of both servers.

One solution I found works with the following crossdomain:

<?xml version="1.0"?>
<cross-domain-policy>
    <allow-access-from domain="*"/>
</cross-domain-policy>

served at serverb.com:3333/websiteB/crossdomain.xml

So now for my question: Is it possible to get rid of the "*" and use a proper (not as general as *) domainname in the allow-access-from rule? All my attempts failed, and from what I understand it should be possible.

Jesper Fyhr Knudsen
  • 7,802
  • 2
  • 35
  • 46
cboese
  • 104
  • 6

2 Answers2

1

Try: 

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
    <allow-access-from domain="*.servera.com" to-ports="3333"/>
</cross-domain-policy>

(you may have to specify the port for the from domain as well - I haven't had to deal w/ cross domain w/ ports in a while.

quoo
  • 6,237
  • 1
  • 19
  • 36
  • What do you mean with "specify the port for the from domain"? I didnt find an attribute like "from-ports" in the specs. Is there another way that I am not aware of? – cboese Apr 12 '10 at 07:54
  • there's not a from ports, i meant like domain="*.servera.com:3333" – quoo Apr 12 '10 at 14:18
0

Be very careful with crossdomain policy files. If you are using cookie auth or if serverb.com is on an internal network then you should not use a crossdomain policy. Alternatively you can use a proxy on servera.com that proxies the requests to serverb.com. That would avoid the crossdomain request.

You should also setup logging using an mm.cfg file containing:

ErrorReportingEnable=1
TraceOutputFileEnable=1
PolicyFileLog=1
PolicyFileLogAppend=1

That will log the errors to a text file. Check out more details on setting up the mm.cfg file.

James Ward
  • 29,283
  • 9
  • 49
  • 85
  • True - I'd also get the current cross domain policy file down ASAP as it's basically allowing everything. – quoo Apr 09 '10 at 17:35
  • I think I am fully aware of the risks, nevertheless, thanks James for pointing that out to everyone. I also think a proxy should be the solution of choice. Still, the initial question remains open. – cboese Apr 12 '10 at 07:55
  • If it is safe for you to use a crossdomain policy file because serverb.com does not use cookie auth and isn't an internal server then it's probably also ok to leave the "*" in there. Are you getting an error message in a debug version of Flash Player? – James Ward Apr 12 '10 at 14:08
  • I am very very confused now, as it works on some systems with some browsers and on others it fails. I cant make no sense out of it. E.g. Safari under OSX always refuses the corssdomain except for the "*" one and IE on WinXP always accepts it, no matter what kind of (well formed) rubbish I put in the file. Maybe one time I will find out what exactly is going on under the hood, but for now I stick with the "*" for development and use a proxy for life systems. Thanks for your help, esp. the port variant from quoo, I think that "should" be the solution. – cboese Apr 14 '10 at 09:56
  • I've added some info on how to debug policy errors. Getting an error message goes a long way in determining what the problem is. – James Ward Apr 14 '10 at 13:02