lash / Flex Tutorial - How to Create a crossdomain.xml file.

This brief tutorial will teach you how to create a crossdomain.xml file so that you can access files and information from outside domains and load files and data within your Flash / Flex apps. It is as simple as 4 easy steps.

1. Create an xml file named crossdomain.xml. (XML can be created with Dreamweaver or just simply MS Notepad. Just make sure that you give it the '.xml ' extension on the end.)
2. Copy and paste one of the code examples below into the XML file:
3. Save the file.
4. FTP / upload the file to the root directory of your website. (you should be able to see the file in a browser by typing the url www.yourwebsite.com/crossdomain.xml).

XML Code 1:
This is a typical crossdomain.xml file. Notice that I included my domain as well as my domain without the 'www' in front.

<?xml version="1.0"?><!DOCTYPE cross-domain-policySYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="www.curtismorley.com" />
<allow-access-from domain="curtismorley.com" />
</cross-domain-policy>

XML Code 2:
The follwing Code will allow all domains. This effectively eliminates any security that Flash would have otherwise had. I suggest that you don't use this example unless you enjoy security holes.

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

XML Code 3:
The block of code below will explicitly disallow any and all access from any outside domain. As well, any domain that is not spelled exactly how the host domain is spelled will be blocked. This is the tighest cross domain security that you can employee.

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
</cross-domain-policy>

XML Code 4:
The code below illustrates different uses of the '*' wildcard symbol. This is thecrossdomain.xml file from Amazon.com The wildcard allows for any variation before '.amazon.com'. Amazon does this because of the public services and APIs that it allows others to connect to.

<cross-domain-policy>
<allow-access-from domain="*.amazon.com"/>
<allow-access-from domain="amazon.com"/>
<allow-access-from domain="www.amazon.com"/>
<allow-access-from domain="pre-prod.amazon.com"/>
<allow-access-from domain="devo.amazon.com"/>
<allow-access-from domain="images.amazon.com"/>
<allow-access-from domain="anon.amazon.speedera.net"/>
<allow-access-from domain="*.amazon.ca"/>
<allow-access-from domain="*.amazon.de"/>
<allow-access-from domain="*.amazon.fr"/>
<allow-access-from domain="*.amazon.jp"/>
<allow-access-from domain="*.amazon.co.jp"/>
<allow-access-from domain="*.amazon.uk"/>
<allow-access-from domain="*.amazon.co.uk"/>
</cross-domain-policy>

Creating a cross domain policy file is just that easy.

And Happy Flashing.

P.S. I highly suggest that you read one or all of the following articles on cross domain policy files and the Flash Player security sandbox,

Crossdomain Article by Colin Moock

Adobe Crossdomain Technote (this one is required reading)

Flash Player 9 Security Whitepaper

Adobe LiveDocs on Flash Player Security