Does your Flash movie stop working because your links need the crossdomain.xml file, but you can’t place it at the root level? The crossdomain.xml file can be relocated to non-root locations, and that location can be defined in your Flash movie. The code is at the bottom of this article, and below is some expert advice on Flash security and cross site request forgery issues you must understand to protect your site.
When an attempt is made to load content into a SWF file at runtime, the request is subject to the Flash Player security model, which is in place to protect users and website owners. As part of this model, Flash Player by default prevents cross-domain loading of data, but allows cross-domain sending of data.
This security model was set up to parallel the default settings provided in most web browsers. Flash Player does, however, allow you to make exceptions by placing a cross-domain policy file on the server where the content is stored. Cross-domain policy files are a Flash Player security control that you can use to enable data loading between domains. This powerful functionality allows Flash- and Flex-based rich Internet applications (RIAs) to exchange information in ways that are not possible in applications built with AJAX, DHTML, or JavaScript.
This article discusses some of the common security issues that you should consider when deciding how to use a cross-domain policy file on your server. In general, websites using cross-domain policy files increase their security exposure. This is because the cross-domain policy file used by Flash Player allows access to information by more domains than are allowed in the default configuration. As with any security mechanism, use of the cross-domain policy requires careful analysis of the proposed application architecture and threat model to understand potential risks.
Note: Using a cross-domain policy file could expose your site to various attacks. Please read this document before hosting a cross-domain policy. Continue reading