Policy Files

In this section, you will learn about the Flash player security restrictions as they apply to loading external data, and how the restrictions can be bypassed.

By default, an SWF can load external data only from the domain on which it resides. In other words, an SWF running within the Web page at http://www.electrotank.com/addressbook.html could not load the XML file at http://www.derekfranklin.com/addresses.xml because the running SWF and the file it's attempting to load are not on the same domain. However, the domain derekfranklin.com can give permission to SWF files that exist on electrotank.com by using a policy file, allowing those SWF files to load and use content from the derekfranklin.com domain. You will learn more about policy files later in this lesson, but before that you should understand what the Flash player considers to be a different domain.

The Flash player uses exact domain matching to determine whether a Flash file and external data source are on the same domain. A subdomain of a domain is not considered the same domain as its parent. For example, store.electrotank.com is not considered the same domain as games.electrotank.com, and www.electrotank.com is not the same as electrotank.com. If the two domain names don't look exactly alike, letter for letter, they're mismatched, and data exchange is not permitted without being granted access via a policy file.

A policy file is an XML-formatted file that sits in the root directory of a domain. When an SWF attempts to load data from another domain, the Flash player checks the destination domain for a policy file. If a policy file exists, the Flash player loads it and checks whether the origin domain is granted access. If the origin domain is granted access, the Flash player loads the requested data; otherwise, it doesn't.


The loading of the policy file is transparent to the user. It happens in the background without any special ActionScript coding.

The following is the format of a policy file:


 <allow-access-from domain="www.derekfranklin.com" />

 <allow-access-from domain="www.electrotank.com" />

 <allow-access-from domain="" />


If the XML were saved to a file called crossdomain.xml and uploaded to the root directory of http://www.gamebook.net, Flash files on www.derekfranklin.com, www.electrotank.com, and the IP would be granted access to load data from gamebook.net.


A policy file for a domain must always be named crossdomain.xml and must exist in the root directory of the domain.

The crossdomain.xml file would not grant access to an SWF file on store.electrotank.com because it doesn't exactly match the authorized domain.

The crossdomain.xml file supports wildcards. If you wanted your policy file to allow all subdomains of electrotank.com, you would use an asterisk in the policy file code as follows:


  <allow-access-from domain="*.electrotank.com" />


If you wanted to grant access to all domains everywhere, here is how you would set up the policy file:


  <allow-access-from domain="*" />



When you run a Flash movie from your own computer, as you have been doing with the exercises in this book, the domain restrictions just discussed do not apply. SWF files running on your computer can load a file from any domain in the world without having to be granted access from a crossdomain.xml file.