Problem with policy file for ActionScript 3 XMLSocket

Question

Hi everyone, we've developed a tailored server in .NET to host some basic chat/IM functions for our website, and the client is written in Flex (AS3) using XMLSocket.

Now we have 2 servers, one dedicated to purely sending policy files, and one handling IM/Chat functions.

Problem is, we can see the client connecting, the policy file is sent, but then Flash ignores the policy file and requests it again from our chat/IM server.

Policy file:

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy>
  <site-control permitted-cross-domain-policies="master-only"/>
  <allow-access-from domain="*" to-ports="*" secure="false"/>
</cross-domain-policy>

Policy server:

Server.LogMessage("Policy Server: Serving policy file.");
            TcpListener listener = (TcpListener)ar.AsyncState;
            Socket client = listener.EndAcceptSocket(ar);
            NetworkStream ns = new NetworkStream(client);
            StreamReader sr = new StreamReader(ns);
            StreamWriter sw = new StreamWriter(ns);

            sr.Read();
            //Send policy
            sw.Write(Server.EncodeString(Server.xmlPolicyFile.OuterXml) + "\0");
            sw.Flush();
            ns.Flush();
            //Cleanup
            sw.Close();
            sr.Close();
            ns.Close();
            //Do it again!
            tcl.BeginAcceptSocket(AcceptCallback, tcl);

Answer 1

Cross Domain Policy only works for the server its on... you can't have a server serving up the policy for a different server... what would stop a villain creating a policy for your machine and stealing your data.

You'll need to have the policy served from the correct server.