tags:

views:

105

answers:

2
+1  Q: 

Yet Another crosdomain.xml question or: "How to interpret documentation correctly"

Hi! I have read a lot about the new policy-policy of flash player and also know the master policy file. Now image the following situation: There are two servers with services (http) running at custom ports

  • servera.com:2222/websiteA
  • serverb.com:3333/websiteB

Now I open a swf from server a (eg. servera.com:2222/websiteA/A.swf) that wants to access the service of serverb. Of course I need a crossdomain.xml at the right place and there are multiple variations possible. I dont want to use a master policy file, as I might not have control over the root of both servers.

One solution I found works with the following crossdomain:

<?xml version="1.0"?>
<cross-domain-policy>
    <allow-access-from domain="*"/>
</cross-domain-policy>

served at serverb.com:3333/websiteB/crossdomain.xml

So now for my question: Is it possible to get rid of the "*" and use a proper (not as general as *) domainname in the allow-access-from rule? All my attempts failed, and from what I understand it should be possible.

+1  A: 

Try: 

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"&gt;

<cross-domain-policy>
    <allow-access-from domain="*.servera.com" to-ports="3333"/>
</cross-domain-policy>

(you may have to specify the port for the from domain as well - I haven't had to deal w/ cross domain w/ ports in a while.

quoo  2010-04-09 15:20:04
What do you mean with "specify the port for the from domain"? I didnt find an attribute like "from-ports" in the specs. Is there another way that I am not aware of?
cboese  2010-04-12 07:54:00
there's not a from ports, i meant like domain="*.servera.com:3333"
quoo  2010-04-12 14:18:32
A: 

Be very careful with crossdomain policy files. If you are using cookie auth or if serverb.com is on an internal network then you should not use a crossdomain policy. Alternatively you can use a proxy on servera.com that proxies the requests to serverb.com. That would avoid the crossdomain request.

You should also setup logging using an mm.cfg file containing:

ErrorReportingEnable=1
TraceOutputFileEnable=1
PolicyFileLog=1
PolicyFileLogAppend=1

That will log the errors to a text file. Check out more details on setting up the mm.cfg file.

James Ward  2010-04-09 17:08:06
True - I'd also get the current cross domain policy file down ASAP as it's basically allowing everything.
quoo  2010-04-09 17:35:33
I think I am fully aware of the risks, nevertheless, thanks James for pointing that out to everyone. I also think a proxy should be the solution of choice. Still, the initial question remains open.
cboese  2010-04-12 07:55:44
If it is safe for you to use a crossdomain policy file because serverb.com does not use cookie auth and isn't an internal server then it's probably also ok to leave the "*" in there.Are you getting an error message in a debug version of Flash Player?
James Ward  2010-04-12 14:08:50
I am very very confused now, as it works on some systems with some browsers and on others it fails. I cant make no sense out of it. E.g. Safari under OSX always refuses the corssdomain except for the "*" one and IE on WinXP always accepts it, no matter what kind of (well formed) rubbish I put in the file. Maybe one time I will find out what exactly is going on under the hood, but for now I stick with the "*" for development and use a proxy for life systems.Thanks for your help, esp. the port variant from quoo, I think that "should" be the solution.
cboese  2010-04-14 09:56:52
I've added some info on how to debug policy errors. Getting an error message goes a long way in determining what the problem is.
James Ward  2010-04-14 13:02:11

related questions

Silverlight vs Flex
Executing JavaScript from Flex: Is this javascript function dangerous?
How To Get Label Of Combobox to Fade In Flex
How do I change the title bar icon in Adobe AIR?
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Flex: does painless programmatic data binding exist?
SoapException: Root element is missing occurs when .NET web service called from Flex
Any recommendations for in-depth Flex training?
How do I restyle an Adobe Flex Accordion to include a button in each canvas header?
Deleting / Replacing A Node in E4X (AS3 - Flex)
How can I "unaccept" a drag in Flex?
Printing Flex components in FireFox 3
Is it possible to add behavior to a non-dynamic ActionScript 3 class without inheriting the class?
How do I get rid of the "multiple describeType entries" warning?
Open local file with AIR / Flex
Flex / Air obfuscation
Adobe Flex component events
Can you access the windows registry from Adobe Air?
Actionscript 3 - Fastest way to parse yyyy-mm-dd hh:mm:ss to a Date object?
Adobe Air - Using multiple SQLite databases at once
How can I unit test Flex applications from within the IDE or a build script?
Best way to learn Flash?
Get the current logged in OS user in Adobe Air
Adobe air - SQLStatement.execute() - Multiple queries in one statement
Unloading a ByteArray in Actionscript 3.