0

The spec for cross domain policy files says that you can put a the crossdomain.xml file outside the root through the use of a X-Permitted-Cross-Domain-Policies header. How exactly does one go about doing that? I want to put a crossdomain.xml file in a sub directory (I don't have access to the root). This is from page 11 of the spec:

When clients require a policy file, they look at the root by default. A domain should always host a master policy file to enforce its intended meta-policy. If a client is instructed to load a policy file other than the master policy file, the client must still check the master policy file to ensure that the meta-policy defined by the master policy file permits the use of the originally requested policy file.

Without a master policy file, it is left to the client to enforce the default behavior. Instead of relying entirely on master policy files for meta-policies, clients may also decide to check for a X-Permitted-Cross-Domain-Policies header in documents to specify a meta-policy. In addition to the values acceptable in permitted-cross-domain-policies, this header may also use a value of none-this-response to indicate that the current document should not be used as a policy file despite other headers or its content. Non-master policy files can only grant access to data within their own directory or subdirectories.

ryanve
  • 50,076
  • 30
  • 102
  • 137

1 Answers1

1

I'm guessing you want to use the crossdomain.xml for a Flash client? fact is, by default a flash client always tries to find that file in the root. as the specs state, everything else must be set in the client. I'm not a flash coder - you should tag this question with "flash" or whatever else the client is coded in.

Jörn Berkefeld
  • 2,540
  • 20
  • 31
  • I'm not a Flash coder either. This came to me when I was implementing the http://HTML5Boilerplate.com on a site where I only had access to a sub directory. – ryanve Jan 10 '12 at 04:50
  • 1
    then it's easy: no API with proprietary clients = no need for crossdomain.xml. If you have an API for JavaScript clients on a different (sub-)domain you should instead send this header: "Access-Control-Allow-Origin: *" (though the * can be replaced with a specific IP or domain) – Jörn Berkefeld Jan 11 '12 at 11:50
  • Thanks. I don't need it—I'm just trying to understand it LOL. How you "send the header"—is that in JavaScript? – ryanve Jan 12 '12 at 07:17
  • no, you do that with your server-config (apache, iis,...) or with server-side-scripting such as PHP (`header('Access-Control-Allow-Origin: *')`) – Jörn Berkefeld Jan 18 '12 at 10:50