Flex - cross-domain-policy - I just don't get it...

Posted At : 19 March 2007 23:52 | Posted By : Dan Lancelot
Related Categories: Flex,CFEclipse

I installed Flex Builder 2 plugin last night, - and overall I'm very impressed.

I'm particularly impressed with the documentation, and in particular the lessons - each lesson is really short, but they cover the basics very quickly - great for someone like me who has no previous experience with Flex, and very little with flash.

I've been working through the lessons, and in the second lesson, it goes through creating a (basic) RSS feed reader.

So I went through the example, using the RSS feed given as an example in the lesson (for Matt Chotin's blog). This worked fine, so I though - that's cool, lets point the feed at my own blog...

This didn't do anything, so, I worked out how to view debug mode (for some reason debug mode is only working with IE on my machine, not Firefox - probably an installation issue), and saw the following error:

  • Security error accessing url...
I then went back to the second page of the lesson, where it mentioned about having to set-up a "crossdomain.xml" file on the server hosting the data source...

I'm sorry - but I don't get this - on the domain on which the RSS feed is hosted, you have to set-up a file detailing which domains can host flex / flash applications which access the source domain...

The flash application is responsible for checking this file before deciding whether to access the remote data source...

So... this file on the remote server, instructs the client application to check whether it has permission to access the remote server, based on the domain on which the client app thinks its being served on...

So what on earth does this achieve?

I can see 2 cases where you might want to lock things down:

  1. The remote server is hosting a service with restricted access, and needs to make sure the client is authorised to serve the data before allowing it to be served
  2. The application is running on a local machine, and you want to restrict the sites that the application has access to

The first point is not achieved by the use of the "crossdomain.xml" file - as one of the 1st rules of implementing security within a client-server environment, is that the server is responsible for implementing security, not the client. In addition, I would assume that the flash application knows where it being served from based on the host headers (as it is running in the local machine, not on the domain from which it is served) - which presumably (and I've not checked) could be faked through the use of the hosts file etc.

The second point is not implemented at all - as the crossdomain.xml file is implemented on the remote server - not on the client.

So what on earth does this crossdomain.xml file achieve - other than requiring hosts of a public service to make a concious decision that they will allow flash clients to access the service. Surely the point of open standards such as RSS - is that they are open - and it is the choice of the consumer, how they consume them...

PLEASE - if I have completely missed the point here, let me know - as from what I can see, the crossdomain.xml "security" implementation would appear to be both pointless and obstructive...

I could see the point if the crossdomain.xml file were optional and advisory - a bit like robots.txt - an indication of a preference, if implemented, rather than an absolute requirement if data is to be served to a remote domain.

Comments (6) | Print | Send | del.icio.us | Linking Blogs | 4810 Views
Comments
[Add Comment]
Nick Tong's Gravatar Dan, take a look as these links: http://www.cflex.net/showFileDetails.cfm?ObjectID=...
# Posted By Nick Tong | 20/03/07 18:37
Fingerprint's Gravatar Thanks your links and Dan' s article.
# Posted By Fingerprint | 29/08/07 11:32
Mags's Gravatar Hi Dan, maybe you could help me.
I'm using Flex3 with Flash9 player.
I get "security error accessing url" when attempting to pull google news (or pretty much any news feed) into my test rss-viewer page.
As far as I understand, this is because the remote server had to have a cross-domain file specifying exactly who can link (as the * option is no longer available).
So, how come your rss feed works fine for me?
Many thanks.
Mags
# Posted By Mags | 07/07/08 12:31
Dan Lancelot's Gravatar @Mags I have a crossdomain.xml file on my domain:

<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

I'm not sure what you mean about the * option no longer being available - as it appears to work on my site...

I'm not an expert on this - in fact I've barely looked at flex since I posted this article...
# Posted By Dan Lancelot | 07/07/08 15:33
Mags's Gravatar Interesting.
Looking at the Flex debug output, I see the warning "Warning: Domain www.danlance.co.uk does not specify a meta-policy. Applying default meta-policy 'all'. This configuration is deprecated. See http://www.adobe.com/go/strict_policy_files to fix this problem.".
Seems its not finding your crossdomain file, and is therefore treating it as *, even though * is no longer considered valid. (too open for Flash9).
I'm curious about how providers of RSS feeds are expected to allow access - surely not on a user-by-user basis?
Anyway I know it's not your area - thanks for taking the time to reply.
# Posted By Mags | 08/07/08 10:54
cm's Gravatar I am just starting to look into flash and don't see the point in this "crossdomain.xml" either. Why is it termed a security measure? I tried to search on this point and find no comments except yours. I feel like I'm in the fable about the emperor's new clothes.

Anyway, your robots.txt comparison is right on. It seems to me just a flag that client flash players are asked to honor.
# Posted By cm | 25/07/08 05:38
[Add Comment]
BlogCFC was created by Raymond Camden. This blog is running version 5.5.1, hosted by TalkWebSolutions.