Crossdomain File Loading Restrictions
Purpose
This guide describes the crossdomain file loading (security) restrictions associated with the Adobe Flash plugin and JavaScript in HTML5 browsers/devices.
Crossdomain in Flash
The Adobe Flash Player contains a crossdomain security mechanism, similar to JavaScript’s Cross-Site Scripting restrictions. Flash’s security model denies certain operations on files that are loaded from a different domain than the player.swf. Roughly speaking, three basic operations are denied:
- Loading of XML files (such as playlists and captions).
- Loading of SWF files (such as skins).
- Accessing raw data of media files (such as ID3 tags or sound wave data).
Generally, file loads (XML or SWF) will fail if there’s no crossdomain access. Attempts to access or manipulate data (ID3, waveforms, bitmaps) will abort.
Crossdomain XML
Crossdomain security restrictions can be lifted by hosting a crossdomain.xml file on the server that contains the files. This crossdomain file must be placed in the root of your (sub)domain, for example:
http://www.myserver.com/crossdomain.xml http://videos.myserver.com/crossdomain.xml
Before the Flash Player attempts to load XML files, SWF files or raw data from any domain other than the one hosting the player.swf, it checks the remote site for the existence of such a crossdomain.xml file. If Flash finds it, and if the configuration permits external access of its data, then the data is loaded. If not, the secure operation will not be allowed.
Allow All Example
Here’s an example of a crossdomain.xml that allows access to the domain’s data from SWF files on any site:
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <allow-access-from domain="*" /> </cross-domain-policy>
Our plugins.longtailvideo.com domain includes such a crossdomain file, so players from any domain can load the plugins hosted there.
Note that this example sets your server wide open. Any SWF file can load any data from your site, which might lead to security issues.
Restrict Access Example
Here is another example crossdomain.xml, this time permitting SWF file access from only a number of domains:
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <allow-access-from domain="*.domain1.com"/> <allow-access-from domain="www.domain2.com"/> </cross-domain-policy>
Note: the use of the wildcard symbol: any subdomain from domain1 can load data, whereas domain2 is restricted to only the www subdomain.
Crossdomain policy files can even further finegrain access, e.g. to certain ports or HTTP headers. For a detailed overview, see Adobe’s Crossdomain documentation.
Crossdomain in JavaScript
In JavaScript, a Cross-Site Scripting mechanism similar to that in Flash exists. It impacts publishers using JW Player on HTML5 capable browsers and devices, denying to load following files crossdomain:
Generally, these file loads will fail if there’s no crossdomain access. Most browsers will display errors in their debug console.
Cross-Origin Resource Sharing (CORS) Header
Crossdomain access can be enabled in JavaScript with a mechanism similar to that in Flash. Instead of hosting a crossdomain.xml file though, crossdomain access is enabled per file, through an additional HTTP response header:
Access-Control-Allow-Origin: *
Options to limit domains, subdomains and ports can be added. See the enabled-cors.org site for more info. The site lists how to enable CORS headers for various popular webservers, frameworks and serverside languages.