can't get it to work: crossdomain.xml and Flash

Question

Hi, I have a (self-created) swf demo with button triggering getUrl('SampleTargetPage.html')

Now I want to place the swf at our cdn at cdn.example.com while my html page resided on www.example.com

More structured:

www.example.com/test.html
cdn.example.com/someflash.swf
cdn.example.com/crossdomain.xml

I thought it would be sufficient to provide a crossdomain.xml at cdn.example.com to allow the links work. But: it seems like the Flash plugin never queries the crossdomain.xml at all!

Now, is there something which I must add in the SWF itself to make this work? Thanks a lot!

edit: do I need to use Security.loadPolicyFile? edit: Maybe I don't need the crossdomain.xml at all because everything's under *.example.com?

Answer 1

The crossdomain.xml file should be at the root of the site and list all the domain that have access to the files within. You can also set you file to allow all, if you want.

Notice that in the this example below i used a wildcard (*) instead of a subdomain so i can give access to all sub-domains that fall within my main domain. The first two entries is just examples of specific external sites if you want to be restrictive about that. but you can always just do a ..* to allow all.

The contents will look like this:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy 
  SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"&gt;
<cross-domain-policy>
  <allow-access-from domain="www.siteone.com" />
  <allow-access-from domain="sitetwo.com" />
  <allow-access-from domain="*.mysite.com" />
</cross-domain-policy>

Answer 2

Found the problem! The solution was to set allowscriptaccess to 'always' in the flash params:

 allowscriptaccess : 'always'

That's background info about the issue:

Starting with Flash Player 9, getURL (or navigateToURL) calls affecting "_self," "_parent," or "_top" were considered an interaction with the hosting HTML page. Starting with Flash Player 9 update 3, all calls to targets other than "_blank" are affected. This is to prevent untrusted SWF files embedded in the HTML page from re-navigating a browser page (or a frame within that page) without warning the user that they are now visiting a different third-party website. It also enforces cross domain scripting restrictions across all html frames.

To protect HTML pages from untrusted SWF files, Flash Player supports the HTML parameter AllowScriptAccess in the and tags that display Flash content. AllowScriptAccess can have three values: • "always": permits the SWF file to interact with the HTML page in all cases. • "sameDomain": permits the SWF file to interact with the HTML page only when their domains match exactly. By default, the HTML publish templates in the Adobe Flash authoring application output HTML that specifiesAllowScriptAccess="sameDomain", as this is frequently the desired security behavior. • "never": completely prevents the SWF file from interacting with the HTML page.

Calling getURL (or navigateToURL ) now falls under the control of the AllowScriptAccess parameter. In other words, AllowScriptAccess must either be "always" or "sameDomain," and the domains of the HTML page and SWF file must match exactly. Otherwise, the call to getURL (or navigateToURL) will fail.

This is a new behavior introduced in Flash Player 9 to comply with the security model and affects all SWF versions. Adobe is aware that this may change the behavior of some SWF media deployed before the release of Flash Player 9, and we apologize for any inconvenience this may cause.