< Day Day Up >
Policy Files
In this section, you will learn about the Flash player security restrictions as they apply to
loading external data, and how the restrictions can be bypassed.
By default, an SWF can load external data only from the domain on which it resides. In
other words, an SWF running within the Web page at
http://www.electrotank.com/addressbook.html could not load the XML file at
http://www.derekfranklin.com/addresses.xml because the running SWF and the file it's
attempting to load are not on the same domain. However, the domain derekfranklin.com
can give permission to SWF files that exist on electrotank.com by using a policy file,
allowing those SWF files to load and use content from the derekfranklin.com domain.
You will learn more about policyfiles later in this lesson, but before that you should
understand what the Flash player considers to be a different domain.
The Flash player uses exact domain matching to determine whether a Flash file and
external data source are on the same domain. A subdomain of a domain is not considered
the same domain as its parent. For example, store.electrotank.com is not considered the
same domain as games.electrotank.com, and www.electrotank.com is not the same as
electrotank.com. If the two domain names don't look exactly alike, letter for letter, they're
mismatched, and data exchange is not permitted without being granted access via a policy
file.
A policy file is an XML-formatted file that sits in the root directory of a domain. When
an SWF attempts to load data from another domain, the Flash player checks the
destination domain for a policy file. If a policy file exists, the Flash player loads it and
checks whether the origin domain is granted access. If the origin domain is granted
access, the Flash player loads the requested data; otherwise, it doesn't.
N
OTE
The loading of the policy file is transparent to the user. It happens in the background
without any special ActionScript coding.
The following is the format of a policy file:
<cross-domain-policy>
<allow-access-from domain="www.derekfranklin.com" />
<allow-access-from domain="www.electrotank.com" />
<allow-access-from domain="63.74.114.215" />
</cross-domain-policy>
If the XML were saved to a file called crossdomain.xml and uploaded to the root
directory of http://www.gamebook.net, Flash files on www.derekfranklin.com,
www.electrotank.com, and the IP 63.74.114.215 would be granted access to load data
from gamebook.net.
N
OTE
A policy file for a domain must always be named crossdomain.xml and must exist in the
root directory of the domain.
The crossdomain.xml file would not grant access to an SWF file on store.electrotank.com
because it doesn't exactly match the authorized domain.
The crossdomain.xml file supports wildcards. If you wanted your policy file to allow all
subdomains of electrotank.com, you would use an asterisk in the policy file code as
follows:
<cross-domain-policy>
<allow-access-from domain="*.electrotank.com" />
</cross-domain-policy>
If you wanted to grant access to all domains everywhere, here is how you would set up
the policy file:
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
TIP
When you run a Flash movie from your own computer, as you have been doing with the
exercises in this book, the domain restrictions just discussed do not apply. SWF files
running on your computer can load a file from any domain in the world without having to
be granted access from a crossdomain.xml file.
< Day Day Up >
. derekfranklin.com
can give permission to SWF files that exist on electrotank.com by using a policy file,
allowing those SWF files to load and use content from the. your policy file to allow all
subdomains of electrotank.com, you would use an asterisk in the policy file code as
follows:
<cross-domain -policy& gt;