crossdomain.xml Policy File Issues With Flash Player

Does your Flash movie stop working because your links need the crossdomain.xml file, but you can’t place it at the root level?  The crossdomain.xml file can be relocated to non-root locations, and that location can be defined in your Flash movie. The code is at the bottom of this article, and below is some expert advice on Flash security and cross site request forgery issues you must understand to protect your site.

When an attempt is made to load content into a SWF file at runtime, the request is subject to the Flash Player security model, which is in place to protect users and website owners. As part of this model, Flash Player by default prevents cross-domain loading of data, but allows cross-domain sending of data.

This security model was set up to parallel the default settings provided in most web browsers. Flash Player does, however, allow you to make exceptions by placing a cross-domain policy file on the server where the content is stored. Cross-domain policy files are a Flash Player security control that you can use to enable data loading between domains. This powerful functionality allows Flash- and Flex-based rich Internet applications (RIAs) to exchange information in ways that are not possible in applications built with AJAX, DHTML, or JavaScript.

This article discusses some of the common security issues that you should consider when deciding how to use a cross-domain policy file on your server. In general, websites using cross-domain policy files increase their security exposure. This is because the cross-domain policy file used by Flash Player allows access to information by more domains than are allowed in the default configuration. As with any security mechanism, use of the cross-domain policy requires careful analysis of the proposed application architecture and threat model to understand potential risks.

Note: Using a cross-domain policy file could expose your site to various attacks. Please read this document before hosting a cross-domain policy. Continue reading

How To Send Data From Flash To ASP/PHP Without A Page Refresh

This article will deal the how to of sending form data from Adobe Flash to your PHP/ASP file so it can be inserted into a database (or manipulated for whatever other reason). The trick is making sure a new window doesn’t popup and the page doesn’t refresh to run through the ASP/PHP code. That’s the one issue I’ve noticed with some downloadable example of contact or email form examples. A new window pops up and often says, Thanks for the email! I’ll give a really bare-bones example where no new windows popup and the window containing your Flash isn’t refresh. This articles example will show an example done in ASP, but this will work with any other programming language.

NOTE: This is not for beginners.


  • Flash File
  • HTML with Flash File
  • ASP/PHP/etc Page That Will Process Form Data
  • HTML page with Frames.


What we’re going to do is set up a Flash File that will simply send form data to an ASP file. Our HTML page with frames will have two frames. One frame will contain the HTML with our Flash, the second will contain a sandbox that will allow the ASP file to refresh without ever affecting the main page we’re browsing. We’re going to hide the second frame so that we don’t ever see the refreshes happening.

I know what you’re thinking, frames are lame. In our example though, you won’t even notice it being there.

Flash File

Create a new Flash file, select the first blank frame you’re given, bring up the ActionScript window and copy and paste the following code:

varsToSend = new LoadVars();

stop – makes sure that your Flash movie doesn’t loop and constantly send “Pat-Burt” to your ASP file.
varsToSend – our LoadVars() object that contains all the variables we’ll be sending to our ASP file.
firstVar – a variable, you can have any number of these.
send – sends the vars in varsToSend to intoDatabase.asp
process – the frame name (we’ll use this later)
post – how we’re sending the data to the database

HTML Frame Page

Create a new HTML page, strip the body tags and throw this in:

<FRAMESET rows=”100%, 1″ >
<FRAME src=”flash.html” name=”flash” noresize frameborder=”0″>
<FRAME src=”
intoDatabase.asp” name=”process” noresize scrolling=”no” frameborder=”0″>

Frameset – creates the frames, defines the first to have 100% height, and the second to have a height of 1 pixel.
flash.html – Our HTML file with our Flash file inserted. It is named “flash”.
process.html – Our HTML file where our ASP file will be reloaded to insert data into the database. It’s located in the frame sized as 1 pixel.

ASP File

This is the simplest version I could present. Keep in mind you will need to define db which should reference your connection string to your database.

db.execute(”INSERT INTO database (message) VALUES (’”&request.form(”firstVar”)&”‘)” )

request.form(”firstVar”) – the name of the variable in our Flash file
database – our database name
message – the column name in our database

HTML with Flash File

Insert your Flash file in whatever form you prefer. I recommend SWFObject.

Put Them All Together And Make Sure You…

  • Name the HTML file with your Flash: flash.html
  • Name your ASP file (in this example) to intoDatabase.asp
  • Provide a <noframes /> alternative where the page is loaded in a new window in the off chance someone has frames turned off
  • Don’t get to complicated. Get everything working in its simplest form before you add extra features

Good luck, hope that helps. By Patrick Burt