< Day Day Up > Policy Files In this section, you will learn about the Flash player security restrictions as they apply to loading external data, and how the restrictions can be bypassed
Trang 1< Day Day Up >
Policy Files
In this section, you will learn about the Flash player security restrictions as they apply to loading external data, and how the restrictions can be bypassed
By default, an SWF can load external data only from the domain on which it resides In other words, an SWF running within the Web page at
http://www.electrotank.com/addressbook.html could not load the XML file at
http://www.derekfranklin.com/addresses.xml because the running SWF and the file it's attempting to load are not on the same domain However, the domain derekfranklin.com can give permission to SWF files that exist on electrotank.com by using a policy file, allowing those SWF files to load and use content from the derekfranklin.com domain You will learn more about policy files later in this lesson, but before that you should understand what the Flash player considers to be a different domain
The Flash player uses exact domain matching to determine whether a Flash file and
external data source are on the same domain A subdomain of a domain is not considered the same domain as its parent For example, store.electrotank.com is not considered the same domain as games.electrotank.com, and www.electrotank.com is not the same as electrotank.com If the two domain names don't look exactly alike, letter for letter, they're mismatched, and data exchange is not permitted without being granted access via a policy file
A policy file is an XML-formatted file that sits in the root directory of a domain When
an SWF attempts to load data from another domain, the Flash player checks the
destination domain for a policy file If a policy file exists, the Flash player loads it and checks whether the origin domain is granted access If the origin domain is granted
access, the Flash player loads the requested data; otherwise, it doesn't
NOTE
The loading of the policy file is transparent to the user It happens in the background without any special ActionScript coding
The following is the format of a policy file:
<cross-domain-policy>
Trang 2<allow-access-from domain="www.derekfranklin.com" />
<allow-access-from domain="www.electrotank.com" />
<allow-access-from domain="63.74.114.215" />
</cross-domain-policy>
If the XML were saved to a file called crossdomain.xml and uploaded to the root
directory of http://www.gamebook.net, Flash files on www.derekfranklin.com,
www.electrotank.com, and the IP 63.74.114.215 would be granted access to load data from gamebook.net
NOTE
A policy file for a domain must always be named crossdomain.xml and must exist in the root directory of the domain
The crossdomain.xml file would not grant access to an SWF file on store.electrotank.com because it doesn't exactly match the authorized domain
The crossdomain.xml file supports wildcards If you wanted your policy file to allow all subdomains of electrotank.com, you would use an asterisk in the policy file code as follows:
<cross-domain-policy>
<allow-access-from domain="*.electrotank.com" />
</cross-domain-policy>
If you wanted to grant access to all domains everywhere, here is how you would set up the policy file:
<cross-domain-policy>
Trang 3<allow-access-from domain="*" />
</cross-domain-policy>
TIP
When you run a Flash movie from your own computer, as you have been doing with the exercises in this book, the domain restrictions just discussed do not apply SWF files running on your computer can load a file from any domain in the world without having to
be granted access from a crossdomain.xml file
< Day Day Up >