In many occasions you might want a SWF to be able to retrieve data from another domain, by loading variables from a text file for example, or you might want to send data from a Flash email form to a PHP script that is sitting on another domain.

With Flash player 6 a security sandbox implemented a restriction : a movie sitting on one domain would be prevented from loading data from another domain. In Flash Player 6, sub domains of the same parent domain could access each other's data this is not the case anymore starting with Flash player 7, domains must be identical for data to be read.

Luckily there is a way to allow the Flash player to gather or send data from another domain, this is what we can find in the Flash 8 manual :

When a Flash document attempts to access data from another domain, Flash Player will automatically attempts to load a policy file from that domain. If the domain of the Flash document that is attempting to access the data is included in the policy file, the data is automatically accessible. Policy files must be named crossdomain.xml, and can reside either at the root directory or in another directory on the server that is serving the data with some additional ActionScript

Here we are, let's have a look in more details at a crossdomain.xml :

<?xml version="1.0"?> <cross-domain-policy> <allow-access-from domain="www.flashvalley.com" /> <allow-access-from domain="*.bbc.co.uk" /> <allow-access-from domain="234.123.18.1" /> </cross-domain-policy>

You will notice the usual XML version declaration : <?xml version="1.0"?>

Then we have the <cross-domain-policy> tag that will encapsulates all the <allow-access-from> tags.

All the <allow-access-from> tags have an attribute domain that can either specified an exact IP address, an exact domain, or a wildcard domain (any domain).

If you specify an IP address you will need your SWF file to access the data source using the ip address in the web address like http://234.123.18.1/myVariables.txt, the Flash player won't do any DNS conversion so you can't just enter the domain name bound to that IP as it won't work.

Be aware that using <allow-access-from domain="flashvalley.com" /> won't grant access to the data source to your SWF if you try to access it using http://www.flashvalley.com and vice versa. To be sure that you will be able to access it from both url, the one with the www and the one without it you will need to specify both domain or to use a wild card like *.flashvalley.com

if you want to allow access to your server to all IPs and domain names just use a simple wild card as below :

<?xml version="1.0"?> <cross-domain-policy> <allow-access-from domain="*" /> </cross-domain-policy>

If you have a data source sitting on HTTPS server and you want a SWF sitting on HTTP server to be able to access you will have to add the attribute secure to the <allow-access-from> tag as well as setting it to false (see example below)

<?xml version="1.0"?> <cross-domain-policy> <allow-access-from domain="www.flashvalley.com" secure="false"/> </cross-domain-policy>

If you want to be able to customize the location and the name of your policy file you can use the System.security.loadPolicyFile method. This method will only work if the client is using a post Flash player 7.0.14.0.

With the addition of System.security.loadPolicyFile, Flash Player 7.0.19.0 can load policy files from arbitrary locations, as shown in the following example:

System.security.loadPolicyFile("http://mydomain.com/sub/dir/myPolicyFile.xml");

Good luck :)

Calwen
flashvalley.com