What is Crossdomain.xml

Can some one tell me what is the use of crossdomain.xml? And how it works? Where it should be the crossdomain.xml file is placed in client side or on remoting server?

If you have a Flash movie in a given domain on one server, you cannot access data on another domain. This is a security precaution. In order to use data from another domain, you have to allow that other data to be shared by including a crossdomain.xml file in the second domain. This crossdomain.xml file tells the flash player that data coming from this second domain is OK to use.
There are a number of scenarios explained in the first document that I listed above. Do you have a situation that is different from all of those examples?

Similar Messages

Multiple plugtmp-1 plugtmp-2 etc. in local\temp folder stay , crossdomain.xml and other files containing visited websitenames created while private browsing

OS = Windows 7
When I visit a site like youtube whith private browsing enabled and with the add-on named "shockwave flash" in firefox add-on list installed and activate the flashplayer by going to a video the following files are created in the folder C:\Users\MyUserName\AppData\Local\Temp\plugtmp-1
plugin-crossdomain.xml
plugin-strings-nl_NL-vflLqJ7vu.xlb
The contents of plugin-crossdomain contain both the "youtube.com" adress as "s.ytimg.com" and is as follows:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
-<cross-domain-policy> <allow-access-from domain="s.ytimg.com"/> <allow-access-from domain="*.youtube.com"/> </cross-domain-policy>
The contents of the other file I will spare you cause I think those are less common when I visit other sites but I certainly don't trust the file. The crossdomain.xml I see when I visit most other flashpayer sites as well.
I've also noticed multiple plugin-crossdomain-1.xml and onwards in numbers, I just clicked a youtube video to test, got 6 of them in my temp plus a file named "plugin-read2" (no more NL file cause I changed my country, don't know how youtube knows where I'm from, but that's another subject, don't like that either). I just noticed one with a different code:
<?xml version="1.0"?>
-<cross-domain-policy> <allow-access-from domain="*"/> </cross-domain-policy>
So I guess this one comprimises my browsing history a bit less since it doesn't contain a webadress. If these files are even meant to be deposited in my local\temp folder. The bigger problem occurs when they stay there even after using private browsing, after clearing history, after clearing internet temporary files, cache, whatever you can think of. Which they do in my case, got more than 50 plugtmp-# folders in the previous mentioned local\temp folder containing all website names I visited in the last months. There are a variety of files in them, mostly ASP and XML, some just say file. I have yet to witness such a duplicate folder creation since I started checking my temp (perhaps when firefox crashes? I'd say I've had about 50 crashes in recent months).
I started checking my temp because of the following Microsoft Security Essential warnings I received on 23-4-12:
Exploit:Java/CVE-2010-0840.HE
containerfile:C:\Users\Username\AppData\Local\Temp\jar_cache2196625541034777730.tmp
file:C:\Users\Username\AppData\Local\Temp\jar_cache2196625541034777730.tmp->pong/reversi.class
and...
Exploit:Java/CVE-2008-5353.ZT
containerfile:C:\Users\Noname\AppData\Local\Temp\jar_cache1028270176376464057.tmp
file:C:\Users\Noname\AppData\Local\Temp\jar_cache1028270176376464057.tmp->Testability.class
Microsoft Security Essentials informed me that these files were quarantained and deleted but when going to my temp file they were still there, I deleted them manually and began the great quest of finding out what the multiple gigabytes of other files and folders were doing in that temp folder and not being deleted with the usual clearing options within firefox (and IE).
Note that I have set my adobe flasplayer settings to the most private intense I could think of while doing these tests (don't allow data storage for all websites, disable peer-to peer stuff, don't remember exactly anymore, etc.). I found it highly suspicious that i needed to change these settings online on an adobe website, is that correct? When right-clicking a video only limited privacy options are available which is why I tried the website thing.
After the inital discovery of the java exploit (which was discovered by MSE shortly after I installed and started my first scan with Malwarebytes, which in turn made me suspicious whether I had even downloaded the right malwarebytes, but no indication in the filename if I google it). Malwarebytes found nothing, MSE found nothing after it said it removed the files, yet it didn't remove them, manually scanning these jar_cache files with both malwarevytes and MSE resulted in nothing. Just to be sure, I deleted them anyways like I said earlier. No new jar_cache files have been created, no exploits detected since then. CCleaner has cleaned most of my temp folder, I did the rest, am blocking all cookies (except for now shortly), noscript add-on has been running a while on my firefox (V 3.6.26) to block most javascripts except from sites like youtube. I've had almost the same problem using similar manual solutions a couple of months ago, and a couple of months before that (clearing all the multiple tmp folders, removing or renaming jar_cache manually, running various antmalware software, full scan not finding a thing afterwards, installing extra add-ons to increase my security, this time it's BetterPrivacy which I found through a mozilla firefox https connection, I hope, which showed me nicely how adobe flash was still storing LSO's even after setting all storage settings to 0 kb and such on the adobe website, enabling private browsing in firefox crushed those little trolls, but still plugtmp trolls are being created, help me crush them please, they confuse me when I'm looking for a real threat but I still want to use flash, IE doesn't need those folders and files, or does it store them somewhere else?).
I'm sorry for the long story and many questions, hope it doesn't scare you away from helping me fight this. I suspect it's people wanting to belong to the hackergroup Anonymous who are doing this to my system and repeating their tricks (or the virus is still there, but I've done many antivirus scans with different programs so no need to suggest that option to me, they don't find it or I run into it after a while again, so far, have not seen jar_cache show up). Obviously, you may focus on the questions pertaining firefox and plugtmp folders, but if you can help me with any information regarding those exploits I would be extremely grateful, I've read alot but there isn't much specific information for checking where it comes from when all the anti-virus scanners don't detect anything anymore and don't block it incoming. I also have downloaded and installed process monitor but it crashes when I try to run it. The first time I tried to run it it lasted the longest, now it crashes after a few seconds, I just saw the number of events run up to almost a million and lots of cpu usage. When it crashed everything returned back to normal, or at least that's what I'm supposed to think I guess. I'll follow up on that one on their forum, but you can tell me if the program is ligit or not (it has a microsoft digital signature, or the name micosoft is used in that signature).

update:
I haven't upgraded my firefox yet because of a "TVU Web Player" plugin that isn't supported in the new firefox and I'm using it occasionally, couldn't find an upgrade for it. Most of my other plugins are upgraded in the green (according to mozilla websitechecker):
Java(TM) Platform SE 6 U31 (green)
Shockwave for Director (green - from Adobe I think)
Shockwave Flash (green - why do I even need 2 of these adobe add-ons? can I remove one? I removed everything else i could find except the reader i think, I found AdobeARM and Adobe Acrobat several versions, very confusing with names constantly switching around)
Java Deployment Toolkit 6.0.310.5 (green, grrr, again a second java, why do they do this stuff, to annoy people who are plagued with java and flash exploits? make it more complicating?)
Adobe Acrobat (green, great, it's still there, well I guess this is the reader then)
TVU Web Player for FireFox (grey - mentioned it already)
Silverlight Plug-In (yellow - hardly use it, I think, unless it's automatic without my knowing, perhaps I watched one stream with it once, I'd like to remove it, but just in case I need it, don't remember why I didn't update, perhaps a conflict, perhaps because I don't use it, or it didn't report a threat like java and doesn't create unwantend and history compromising temp files)
Google Update (grey - can I remove? what will i lose? don't remember installing it, and if I didn't, why didn't firefox block it?)
Veetle TV Core (grey)
Veetle TV Player (grey - using this for watching streams on veetle.com, probably needs the Core, deleted the broadcaster that was there earlier, never chose to install that, can't firefox regulate that when installing different components? or did i just miss that option and assumed I needed when I was installing veetle add-on?)
Well, that's the list i get when checking on your site, when i use my own browseroptions to check add-ons I get a slightly different and longer list including a few I have already turned off (which also doesn't seem very secure to me, what's the point in using your site then for anything other than updates?), here are the differences in MY list:
I can see 2 versions of Java(TM) Platform SE 6 U31, (thanks firefox for not being able to copy-paste this)
one "Classic Java plug-in for Netscape and Mozilla"
the other is "next generation plug-in for Mozilla browsers".
I think I'll just turn off the Netscape and Mozilla one, don't trust it, why would I need 2? There I did it, no crashes, screw java :P
There's also a Mozilla Default plugin listed there, why does firefox list it there without any further information whether I need it or not or whether it really originates from Mozilla firefox? It doesn't even show up when I use your website plugin checker, so is there no easy way by watching this list for me to determin I can skip worrying about it?
There's also some old ones that I recently deactivated still listed like windows live photo gallery, never remember adding that one either or needing it for anything and as usual, right-clicking and "visit homepage" is greyed out, just as it is for the many java crap add-ons I encountered so far.
Doing a quick check, the only homepage I can visit is the veetle one. The rest are greyed out. I also have several "Java Console" in my extentions tab, I deactivated all but the one with the highest number. Still no Java Console visible though, even after going to start/search "java", clicking java file and changing the settings there to "show" console instead of "hide" (can't remember exact details).
There's some other extentions from noscript, TVU webplayer again, ADblock Plus and now also BetterPrivacy (sidenote, a default.LSO remains after cleanup correct? How do I know that one isn't doing anything nasty if it's code has been changed or is being changed? To prevent other LSO's I need to use both private browsing and change all kinds of restrictions online for adobe flashplayer, can anyone say absurd!!! if you think you're infected and want to improve your security? Sorry that rant was against Adobe, but it's really against Anonymous, no offense).

IOError in IE but not in Firefox (possible crossdomain.xml problem)

Yesterday, I hopefully debugged a problem that is occuring for our application in IE but not in Firefox.
It has to do with accessing remote content from a separate domain.
In every aspect it APPEARS to be a crossdomain.xml issue but the fact that this issue only arrises in IE is what has prompted me to post here.
We have a solution in the works (bureaucratically speaking) but I want to double check here.
Our application is on domain "a.domain".
It access an xml file on "b.domain/xml/".
And finally (this is the tricky part) it also accesses an xml file at "b.domain/forwardingPath/" which is actually forwarded to "c.domain/xml/".
The crossdomain.xml is located at "b.domain/crossdomain.xml".
The request for "b.domain/xml/anXMLFile.xml" works without any problem.
The request for "b.domain/forwardingPath/anotherXMLFile.xml" succeeds in Firefox but not in IE (remember, the ACTUAL request is forwarded to "c.domain/xml/anotherXMLFile.xml").
In IE I get an IOError.
I believe we need an appropriate crossdomain.xml file also located at "c.domain/crossdomain.xml" and have put in that request. What I want to confirm is whether this understanding is correct. I am not a server-side person at all. It's all elves and fairies to me. And then finally, why the hell is this behavior inconsistent between IE and Firefox? Is the Firefox version of flash player violating its own security standards?!
I am cross-posting this at stack overflow. http://stackoverflow.com/questions/7395931/ioerror-in-ie-but-not-in-firefox-possible-cross domain-xml-problem

I've pinged our developers about this and here's what they have to say:
"We did some work for the plugin around redirects andhence the correct behavior on Firefox.
AFAIK, on IE we don't get notified of the redirect and can't participate in making security decisions during redirect scenarios. This behavior is out of our control.
There is a workaround documented in the AS3docs here: http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/system/LoaderCont ext.html#checkPolicyFile
Here is the pertinent paragraph:
Be careful with checkPolicyFile if you are downloading anobject from a URL that may use server-side HTTP redirects. Policy files arealways retrieved from the corresponding initial URL that you specify inURLRequest.url. If the final object comes from a different URL because of HTTPredirects, then the initially downloaded policy files might not be applicableto the object's final URL, which is the URL that matters in security decisions.If you find yourself in this situation, you can examine the value ofLoaderInfo.url after you have received a ProgressEvent.PROGRESS orEvent.COMPLETE event, which tells you the object's final URL. Then call theSecurity.loadPolicyFile() method with a policy file URL based on the object'sfinal URL. Then poll the value of LoaderInfo.childAllowsParent until it becomes true."
Chris

Where to place crossdomain.xml in SAP ECC IDES?

Hi,
I have a flex application which uses webservices generated in SAP IDES system. This flex app is stored in portal server. Since the physical servers are involved, I get a security error message, which says, "Security error accessing url". I browsed through the net and found that, we have to place a crossdomain.xml file in the web root folder of the server from where we are fetching the data. In my case, it would be SAP IDES system.
I wanted to know where do I place this xml file in IDES? What would be it's location and how can I generate a URL to access this xml file?
Please let me know about this, if anyone has done this before.
Appreciate your help.
Thank you,
Warm regards,
Deepak

Hi Durairaj,
As mentioned in that thread, I created a BSP application in the server and loaded crossdomain.xml. It was accessible from the browser too.
This is the xml code which is there in crossdomain:
<?xml version="1.0" ?>
<cross-domain-policy>
<allow-access-from domain="*" />
<site-control permitted-cross-domain-policies="all" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>
But this did not solve my purpose
I have my flex application in a server, servera.abc.com and I am using the webservices of another server, serverb.abc.com
I uploaded the crossdomain.xml in serverb.abc.com, in the following path through a BSP application:
http://serverb.abc.com:8000/sap/bc/bsp/sap/zroot/crossdomain.xml
But I still get the 'security accessing url' message in flex. It doesn't load the wsdl.
I'm also using this piece of code in initialize event of the application in flex:
                       private function initSecurity():void{
                    Security.allowDomain("*");
                    Security.loadPolicyFile("http://serverb.abc.com:8000/sap/bc/bsp/sap/zroot/crossdomain.xml");
                    Alert.show("crossdomain xml loaded....");
Where am I going wrong here?

Question: crossdomain.xml without web server

Hi, Flex Gurus,
In case where I want to use Flex to communicate with a
non-web server machine, e.g. mysql, where should the
crossdomain.xml reside on the non-web server machine?
thanks,
sw

Well at that point you would put it where ever Flex can load
the file locally and do Security.loadPolicyFile("url"). However if
you are going to be using a socket for the connection I'm pretty
sure crossdomain.xml isn't what you're looking for, with the recent
security changes to the Flash Player I think you are looking more
for a Socket Policy File. You can read up on what I'm talking about
here at the following link.
Policy
File

Why crossdomain.xml

sorry i don't get it:
why should having a crossdomain.xml policy file on the server
that i load data from add any security?
if i'd operate a malicous site i'd just put the
crossdomain.xml on my site.
it does not seem logic to me that any server can decide if it
is secure that a flash app can load data from it.
it would seem more reasonable that the flex/flash app itself
decides where it is safe to load data from.
i don't understand the security underlying this concept.
what am i missing here?
thanks,
maxflex

Thanks for sharing that URL. I think this is the section that applies to my XSS issue:
If you imagine that the "public server" is instead a "hacker's server," and that instead of pushing out nice public content he's sharing harmful links to malware, etc., then I think you see the problem
"A public server that allows data access from any domain
Some sites are intended to be accessed by anyone. They contain publicly available data, such as news feeds and web services.
The Flash Player, and web browsers, generally disallow access to data outside the current domain. Because of this, a common practice is to deploy a proxy script on the server that hosts the Flash movie, which then requests data server-side before returning it to the movie.
This is a standard practice, but it requires the creator of the Flash movie create server-side logic just to access public data. If the public server has a policy file, all Flash movies can access its data without any additional server scripts.
A policy file that permits all domains to access it uses a wild card instead of specifying individual domains.
<?xml version="1.0"?>
         <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
         <cross-domain-policy>
         <allow-access-from domain="*" />
         </cross-domain-policy> "

Flex Mobile + crossdomain.xml

Ok, so, here's a fun one for you.
I have a webservice that the mobile app calls. This works fine on a http://localhost/.... run, but when testing on the device, the device can't interpret localhost.
Which means that I have to:
1.) put the webservice on a domain (done)
2.) do a crossdomain.xml file?
     <?xml version="1.0"?>
     <cross-domain-policy>
           <site-control permitted-cross-domain-policies="master-only"/>
           <allow-access-from domain="*"/>
     </cross-domain-policy>
I mean, the domain has to be "*" because mobile apps can be anywhere....
Anyone have any insight on this? I've tried using the webservice on my domain server, but to no avail.

Thanks for the reply. I've done some further research and doubt that it might be due to crossdomain.xml, though it's still possible.
I can successfully introspect my webservice using the Flex wizard if I do http://localhost/webservice.asmx?wsdl, but I cannot seem to introspect it using http://www.domain.com/webservice.asmx?wsdl even though I can access both urls in my web browser.
I uploaded crossdomain.xml into my root so it was available at http://www.domain.com/crossdomain.xml but was still not able to introspect the service.
The reason why crossdomain.xml was mentioned in the first place is that through the webservice wizard, it says "crossdomain.xml required".
I'm not sure what's going on, but would certainly appreciate any suggestions.

Crossdomain.xml on non-port 80

Help! I have an application that MUST go on a non-port 80 web
server. Port 80 is used by an embedded security device and can't be
altered. Regardless, the application must be served from a
different port for other security reasons.
I can't put a crossdomain.xml on, let's say, port 60000 at
the root of the web server. It doesn't work. There isn't even an
attempt to get to it.
What can I do?
My crossdomain.xml looks like...
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "
http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

Use Security.loadPolicyFile("xmlsocket://host:port"); and
you'll have to process the XML request and send the crossdomain.xml
file in response. This is NOT an HTTP request though, just a direct
XML socket communication so you have to have a server socket to
handle it. This is only necessary for XMLSocket and Socket
connections for remote hosts and/or ports under port 1024.
If you are trying to do an HTTPService then you can just
specify the Security.loadPolicyFile("
http://wherever:60000/crossdomain.xml");

Crossdomain.xml for cooliris and iweb

Hi,
I have been trying to embed a Cooliris wall in a HTML snippet in one of my iWeb pages. So far I have been successful to do that with Cooliris generic feed and flickr API feed. However, when I try to use a feed for my photos on my mobile web site, it tells me that I need the crossdomain.xml file in the root of my webserver. I have created this file in my iDisk->Web->Sites folder but it still fails to display the wall. My feed is good as I have validated it with feedvalidator.org so I wonder if this crossdomain.xml file should go anywhere else.
Has anyone has successfully embedded a Cooliris wall using a iWeb feed? I'd be curious how they did that. Or if anyone else has an idea of what I should do to resolve this issue.
Thanks,
J. Terrazas

I was able to embed the demo Cooliris Wall in a test page by adding the code provided at the site:
<object id="o" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="570" height="338"><param name="movie" value="http://apps.cooliris.com/embed/cooliris.swf?feed=api%3A%2F%2Fwww.flickr. com%2F" /><param name="allowFullScreen" value="true" /><param name="allowScriptAccess" value="always" /><embed type="application/x-shockwave-flash" src="http://apps.cooliris.com/embed/cooliris.swf?feed=api%3A%2F%2Fwww.flickr.co m%2F" width="570" height="338" allowFullScreen="true" allowScriptAccess="always" /></object>
I don't know is your code is similar buy you can view the results here.
OT

Please HELP with CrossDomain.xml problem

I'm using Flex2 with Java as the backend. On my local machine
everything works fine. When I deployed the Java war file to the
hosting server and moved the swf there as well I keep getting the
following error "Security error accessing url"
faultCode="Channel.Security.Error". After reading on this it says I
need a crossdomain.xml file put at the root of my server.
I have placed a crossdomain.xml file at the following areas.
C:\Inetpub\wwwroot\crossdomain.xml
C:\Inetpub\vhosts\mysite.com\crossdomain.xml
C:\Inetpub\vhosts\mysite.com\httpdocs\crossdomain.xml
C:\Program
Files\SWsoft\Plesk\Additional\Tomcat\webapps\crossdomain.xml
the following is in the crossdomain.xml
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "
http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" to-ports="*" secure="true"
/>
</cross-domain-policy>
the war file is deployed here:
C:\Program
Files\SWsoft\Plesk\Additional\Tomcat\psa-webapps\mysite.com\testjava.war
and the swf file is located here:
C:\Inetpub\vhosts\mysite.com\httpdocs\test.swf
I don't know what I'm missing. Please someone help me.

daperk,
You should post this to board "Smartphones, Nseries and Eseries Devices".

Google crossdomain.xml when making requests

Hi guys,
Does anyone know how to get round the googles cross domain
when trying to access their services like the maps.google.com
geocode?
Every call i make to try and make a LoadVars request works
fine in the flash IDE where it just trys to pull down the
google.com crossdomain, but any calls in a live enviroment just
request the crossdomain from the appropriate service, i.e. the
maps.google.com and then don't make the actual request.
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "
http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control
permitted-cross-domain-policies="by-content-type" />
</cross-domain-policy>
Any help would be great, otherwise i'll have to proxy the
requests through a php page.

Howdy,
I have done some further investigations and I have so far concluded that:
- in the cases where the service does NOT work, the following is happening:
I watch a video (video 1), then close the window. I start a new window with a new video (video 2). However, despite closing a window and opening a new window, the TCP session for video 1 remains open. So when I start video 2, the crossdomain.xml request is sent on the old TCP session.
Instead of getting an "OK" reply, I simply get an "ACK" reply and the process is halted.
- in the cases where the service does work, the following is happening:
I watch a video (video 1), then close the window. I start a new window with a new video (video 2). For each window, a new TCP session is set up/ synchronised, and the crossdomain.xml request receices an "ACK".
- it seems that the failure scenario happens when there are no files in the cache.
Any ideas of what this could be?

Security error accessing url with crossdomain.xml in InDesign FlexUI

I'm evaluating Flex as a UI component in an InDesign script. Part of what it needs to do involves retrieving some data from a web server to be displayed in a datagrid. I've written a server running on localhost that will provide this data. Everything works fine when I run the component from Flash Builder or from the HTML wrapper page that is generated during the release build, but once I copy the .swf to the InDesign scripts folder and load it as part of a ScriptUI component, I get a fault response ("security error accessing url") when connecting to the server. I'm running this bit of code in from my Flex client:
var h:HTTPService = new HTTPService();
h.url = "http://localhost:8080/elements";
h.method = "GET";
h.addEventListener("result", getElementsResult);
h.addEventListener("fault", getElementsFault);
h.send();
From what I've read, I may need a crossdomain.xml file at the root of my host, so I've added that to the server and can see that it is being accessed whenever the flex component attempts to connect to the service.
My crossdomain.xml file is:
<?xml version="1.0" ?>
<!DOCTYPE cross-domain-policy SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd'>
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>
which seems to be correct, from what I understand. I've also tried quite a few other variations (setting explicit site-control policies, etc.). I'm quite new to Flex/Flash and I'm basically stuck at this point. Where might I be going wrong?

I think sleeping on this one helped... I found that if I serve the .swf from my web server then everything works out fine. Loading it from the local filesystem seems to have been the problem.

Httpservice to localhost doesn't work in Flex4... Even with crossdomain.xml

So, this was working before I recompiled with Flex4, (In Flex 3.5) and now I can't get the following to work....
Story:
I'm using httpservice in flex like:
<mx:HTTPService id="getConfig" url="http://localhost/parser.php" method="POST" showBusyCursor="true" resultFormat="e4x" result="xmlresultHandler(event)" fault="faultHandler(event)" />
Everything is in my root directory on my web server. When run in debug or directly from flashbuilder, the call works fine. If I run a release build, and FTP the release to /var/www (my root), and try to browse to the server, the website pulls up, and the swf file runs, but I always get a
Fault:Channel.Security.Error
FaultString:'Security error accessing url'
faultDetail:'Destination:DefaultHTTP'
when it trys to read the httpservice.
I do have a crossdomain.xml file in my /var/www (webroot) folder with what I see as super permissive settings.... Below:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" to-ports="*" />
<site-control permitted-cross-domain-policies="all" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>
Any help would be GREATLY appreciated.

Thanks for the info Flex harUI,
So I tried bringing up the 3 files (crossdomain.xml, main.swf, and parser.php) from a browser and they call exist and are reachable.
So I get the localhost vs. absolute address this. That makes sense. So I recoded the httpservice call to url="http://10.101.50.60/parser.php". Which is the actual fully qualified address in this case (There is no DNS server), and what I'm pulling up in the browser is "http://10.101.50.60/index.html". So after making this change, I can still access and have everything working in Flash builder, but again, when I standalone compile and upload the main.swf to the var/www directory and pull it up in the browser via http://10.101.50.60/main.swf. I get "Security error accessing URL". So basiclly, same thing.
Spent two days on it now.....

HTTPService and crossdomain.xml doesn't work as expected

My charting application gets its data through HTTPService over the internet:
<HTTPService id="srv" url="http:myserver1.com/tools/xml/data.aspx?name=bob"/>
and it works fine when I launch the application from my the bin-release folder of my development environment (Flash Builder 4.6) or from the location http:myserver1.com/xml.
But when I launch it from http:myserver2.com/charts, which is on the same windows domain as myserver2.com, the chart is empty (it gets no data) although a have this test version of CrossDomain.xml in the root dir of myserver1.com/tools:
<?xml version="1.0" ?> <cross-domain-policy> <allow-access-from domain="*" /> </cross-domain-policy>
I have also, as suggested by Gregory Lafrance on Sep 5, 2010, set the --use-network=true compiler option although it is true as default.
What do I miss? Your advice will be received with gratitude.

I don't get any error messages. The chart is shown but it is empty.
Bo

Crossdomain.xml

Hi,
I already posted in PcP1's board but as the subject i think it's a "cross question" between web and PcP...
I'd like to use the ability of jw player to put in playlist the content of a rss feed (from a podcasts' blog), i thought it could be an easy way to spead podcasts contents on other sites...but it apparently needs an xml file named crossdomain.xml to authorize Flash to read datas from a different domain.
I tried in /Library/WebServer/Documents and restarted web, and tried also in /PodcastProducerContents/Podcasts (but didn't know what to reboot)..But it doesn't work..Does anyone knows where and how put this file ?
Thanks in advance, Julien

According to the Specification, the crossdomain.xml file should be placed in the root level of your web server. That would typically be /Library/WebServer/Documents/ unless you've changed it.
If that's correct and where you've saved the file then the next thing to look at is the actual content of the file to ensure it grants the rights that you expect.

What is Crossdomain.xml

Similar Messages

Maybe you are looking for