Accessing Data Across Multiple Domains
Adobe Flash Player has security restrictions which prevents Flash movies from accessing specific types of data that reside outside of the exact domain from which the swf file resides. This means that everything between the “http://” and the next forward slash (“/”) has to be exactly the same.
Here’s an Example
If a swf file is located at:
http://mywebsite.com/a_folder/my_swf.swf
And the data you are trying to access is at:
http://mywebsite.com/a_different_folder/some_data.xml
The Flash file will be able to access the data because both files have the same domain, that domain is:
mywebsite.com
An example of the Flash file not being able to access the information would be if the swf file was located at:
http://mywebsite.com/a_folder/my_swf.swf
And if the data was located at:
http://subdomain.mywebsite.com/a_different_folder/some_data.xml
The reason the swf file cannot access this data is because the data and the swf file are on different domains. The swf file has the domain: mywebsite.com and the data has the domain: subdomain.mywebsite.com
The data this affects are XML files, and sending and receiving data from server-side scripts and any other forms of data: For example, a .txt file or an .html file etc…
For example, security restrictions will prevent you from loading an XML file from a different domain. They will also prevent you from sending information to PHP (or any other server-side script) files if they are on a different domain, the same also goes for receiving responses and data from PHP (or any server-side script) files on different domains.
The Solution:
However, there is no need to worry! As well as bringing out a new security protocol, there is also a way for anyone to bypass this security measure if they own the data in question by allowing certain domains access to their data.
To allow .swf files from other domains to access your data you create what is known as a crossdomain.xml file. In that file you can list which domains are allowed to access your data. This file will need to be placed at the root of your website, for example, if your data had the domain: mywebsite.com then you would have to put the file at: mywebsite.com/crossdomain.xml
If your data had the domain: subdomain.mywebsite.com then you would have to put the file at: subdomain.mywebsite.com
Building the crossdomain.xml file:
The file is in fact a very simple xml file, which can easily be built in notepad or any other text editor.
Start off by creating a new text file in your prefered text editor. Save the file in an easy to remember folder, and call it “crossdomain.xml“.
Next, copy the text below into your file and save it again.
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<!-- Your Website Addresses -->
</cross-domain-policy>
That is the basic structure of the crossdomain.xml file, you will need to replace “<!– Your Website Addresses –>” with the list of domains allowed to access your data. This list will refer to the place where the swf file is stored, for example, if a swf file needed to access your data, and it’s domain was: files.mywebsite.com then you would add that domain to your list if you wanted it to be able to access your data.
Each new domain / website has to be on a new line, and it written in the following format:
<allow-access-from domain="YOUR DOMAIN" />
For each domain, you would replace “YOUR DOMAIN” with the domain name of each entry.
For example, if we wanted the domains: subdomain.mywebsite.com and files.mywebsite.com to be able to access our data, our crossdomain.XML file would look like this:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="subdomain.mywebsite.com" />
<allow-access-from domain="files.mywebsite.com" />
</cross-domain-policy>
Of course you are not limited to just “something.mywebsite.com”, you can allow access from pretty much any website you want! So you could allow: google.com and flashden.net to have access to your data if you wanted.
Using Wildcards
Another useful thing you can do is are “wildcards“. Wildcards are ways of saying “anything can go here!!!”. They are written as just a “*”. so for example, if you wanted to allow all of the subdomains of a particular website to have access to your data, you could have: *.mywebsite.com and that would allow all subdomains and sub-subdomains of that website to have access to your data. If you really wanted, you could allow absolutely EVERY website access to your data by just putting a wildcard there, just putting a “*”. For example:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.mywebsite.com" />
</cross-domain-policy>
That would allow all of the subdomains of “mywebsite.com” to have access to your data, but it wouldn’t allow “mywebsite.com” itself to have access, instead, you would have to write this:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="mywebsite.com" />
<allow-access-from domain="*.mywebsite.com" />
</cross-domain-policy>
And if you didn’t care at all which websites could access your data, giving access to all websites, you can just use this:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
So there you have it, you now have the knowledge to transfer data from your websites to any flash file on any website you want.
Remember to put the crossdomain.xml file in the root of the domain which holds the data, not the swf file.
8
Comments
Scott
Scott is the Down the FoxHole blog editor. He is also a reviewer for ActiveDen. Scott is a freelance Web and Interactive Media Designer having previously worked as the Lead Web Designer for a well-known children's hospital in the US for 8 years. Follow him on Twitter @scottwills
Thanks a lot, ReaperMedia!
It’s a very interesting configuration that I’m sure not many people (including me) knew about.
Thanks for the comments!
Or you can just make a proxy.php to load externals documents
Okay, all of the code has been sorted now. Happy coding!
@ramon, you can in some scenarios, but not in all. For example, I build a swf once that users put on their myspace pages. You can’t really add a php file to the myspace page so the xml, php, whatever file needed to be placed on another domain.
Fantastic tutorial Reaper! Do you, or anyone else for that matter, know if you can make just a directory, rather than the entire domain accessible from other domains?
@Lance: Here is a decent way of doing what you asked: http://kb2.adobe.com/cps/165/tn_16520.html#shim
I’m not sure if it is possible with crossdomain.xml, i think it is, but you need to add some AS code, i’ll look into it.
ahh the good ole crossdomain…such an easy and useful tool to know. Nice tutorial man!
Thanks for this Reaper-Media!!! I was thinking exactly about this when i saw the Post!!!!! I was thinking, if i create a sub-domain and put the file that i want others (anyone/any domain) access i should put the crossdomain.xml file in it to grand access only to the files in this sub-domain, not across whole domain!!!!
I have a great idea which must Use cross-domain thing!!!! This is really useful for Me thank You a lot for this!!!!!!!!!!!!
Best regards!!!!!!