When you build a flash project which needs to talk to a page or an swf on another domain, you will find that there is security issues surrounding it. Adobe doesn't allow “cross-site scripting” unless the called domain has a file to tell the the swf that is can access the domain.
Reasons why?
Well, if you built a script which an swf calls to obtain information then a hacker can download the swf and place it on their site and access your data. Your data might be confidential and someone has ripped off your swf to obtain the link and use the information for their own benefit.
How to use cross-site scripting?
You can find plenty of example on the adobe site but I have been doing it for a web development company called vanilla active and we use it often so I will try explain my way. We have a server which contains many domain names so this example that a will give you will work well for both a single domain and multiple domains.
Structure
the swf(the one calling a page on another server)
|_ root of the server(not the httpdocs but before) contains a xml file
|_ httpdocs(of the called page) contains another xml file
STEP 1
The root(not httpdocs) needs a policy xml file,this grants flash access to the httpdocs. Example below:
"<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all" />
</cross-domain-policy>"
The policy which I have place in this file allows any domain to go beyond the file to the called root directory to check the permissions set in there.
STEP 2
Now place a XML file into the location of the script which flash is going to access. Example below:
"<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>"
In this file I have allowed access from any domain by using the * in the policy. However this is not secure so you should change it to allow only the swfs domain name. You can add more of this code to allow more than one domain.
<allow-access-from domain="www.the-swfs-domain.co.uk" />
STEP 3
In the action script, flash needs to access the second policy xml using the code below.
Security.loadPolicyFile("http://www.the-called-domain.co.uk/crossdomain.xml");
It takes time get the hang of it but it becomes an easy and secure way to call other domains.
No comments:
Post a Comment