18 September 2008
This is a practical guide to what you need to know to work with the required changes that have been made to policy files in Adobe Flash Player 9 and will be made in Flash Player 10 beta. If you would like to understand why these changes are being made, or how you as a site owner can opt-in to increased permission control, please also read Understanding security changes in Flash Player 10 beta.
Policy files are the core of the permission system that Flash Player uses to let server owners decide which SWF files are allowed to interact with the server and control what those SWF files can do when interacting with the server. The standard permission for the web is to allow a lot of actions to happen only when everything is on the exact same web domain. Policy files let the server choose to expand that permission to allow a lot of powerful applications to be built using resources outside the web domain of the SWF file. For example, to allow SWF files to make use of public APIs, sites such as Flickr have policy files that let anyone connect and load the data back into their SWF file.
Over time, it has been necessary to make refinements to how policy files work to maintain the best possible security for users and servers while still allowing the flexibility that Flash Player has always offered developers. In this article, you will see details of what changes have been made and when they were added to Flash Player.
Once a version of Flash Player has been released, you will begin to encounter users with the new requirements regardless of the version of Flash for which you have exported. At minimum, you should be prepared to encounter users with the security changes that have been made through Flash Player 9,0,124,0. While Flash Player 10 beta security changes are not yet generally deployed, Flash Player 10 beta is available as a public prerelease on Adobe Labs and will be the current version in the near future. Adobe recommends planning ahead for all preannounced security changes to avoid impacting your content.
Table 1 is a list of security changes that have been made around policy files that may impact existing customers. Each section adds on to the changes made in the previous player. For example, for a complete list of the modifications that may be encountered in Flash Player 9,0,115,0, you will need to read the sections on both 9,0,47,0 and 9,0,115,0.
This table is a quick reference to the topics that are covered in each section. Each topic is covered in the section about the Flash Player that introduced the change.
|Security change||Flash Player 9,0,47,0||Flash Player 9,0,115,0||Flash Player 9,0,124,0||Flash Player 10,0,2,xx|
|Strict XML parsing||●||●||●||●|
|Policy file content-type||●||●||●|
|Master socket policy port||●||●||●|
|Local socket strictness||●||●||●|
|Required socket policy||●||●|
|Cross-domain header policy||●||●|
Release date: July 2007
Impact: Few developers should be impacted by this change.
Policy files must be valid XML. Invalid XML will cause the policy file to be ignored. Strict XML parsing does not affect the ActionScript XML parser in any way.
Release date: December 2007
Impact: If you depend on policy files for access to a server that is not under your direct control, you should verify that your content works as intended.
Description: When parsing either an HTTP or socket policy file at the master location, Flash Player will look for optional meta-policies that determine whether other policy files on the same server should be used or ignored. Meta-policies can also be declared in HTTP response headers, but this is less common.
For a site like www.example.com, the master HTTP policy file is at http://www.example.com/crossdomain.xml. For a socket connection to www.example.com, the master socket policy file is from a socket connection to www.example.com on port 843.
If you make use of policy files in non-master locations, data loading could be affected if the master policy file contains meta-policies that disallow other policy files. If the server that you are accessing has no meta-policy, Flash Player will honor non-master policy files.
Note: In Flash Player 10 beta, the default will change for HTTP meta-policies. If a master HTTP policy file does not exist or lacks a meta-policy allowing additional policy files, non-master policy files on that HTTP server will be ignored by Flash Player. See the section on Flash Player 10 beta for more information.
Impact: Anyone using server redirects should review their SWF content to ensure that policy files continue to work as expected.
Description: If the web server redirects the request for a policy file to a URL within the same domain, Flash Player will accept the policy file, but it will use the final URL (post-redirect) as if Flash Player had originally requested that final URL. Permissions will only be granted based on the location of the policy file's final URL. For example, if http://www.example.com/directoryA/crossdomain.xml redirected to http://www.example.com/directoryB/crossdomain.xml, Flash Player would allow access to anything within directoryB but would not allow access to directoryA.
Redirects to policy files outside the originally requested domain will continue to cause policy files to be ignored by Flash Player.
Impact: Few developers should be impacted by this change. If your web server is highly customized or specialized, you should review the content-type configuration for your server. Also, if you use nonstandard names for policy files, make sure that your policy files' names are associated with a textual content-type.
Description: Policy files must have an appropriate content-type header supplied by the web server. Policy files that lack a content-type header or have an unusual value will be ignored by Flash Player. Valid content-type values are:
Content-type is set by the web server and is frequently assigned based on the file extension. Most web servers should set the content-type to one of the values above. If you need to change your content type for policy files, please consult the documentation for your web server.
If you are making a change, a recommended value for cross domain policy files is:
Impact: Users may experience a several-second delay in connecting to a socket server if a master socket policy server is not present.
Description: If a socket connection has not been previously authorized by a socket policy file, Flash Player will attempt to connect to the host server at port 843 to load a master socket policy file for the domain. A socket policy file on port 843 can also set meta-policies for socket connections to that host.
Impact: Developers connecting to localhost sockets will need to verify that their content works as intended. Normal web content is not affected by this change.
Description: A socket policy file must be used for any local socket connections, regardless of the domain of the SWF file or the port that is being connected. For more information, read Setting up a socket policy file server, which gives sample code and a description of the various options available.
Release date: April 2008 (current version of Flash Player)
Impact: Many developers using cross-domain socket communication will need to change their socket policy file configuration.
Description: Policy files served over HTTP may no longer be used to authorize socket connections to that server. Instead, the connection must be authorized through a socket policy file. A socket policy file is a socket connection that is used to send Flash Player the XML containing the policy.
Loading the socket policy file is a separate process from establishing the main socket connection. A special server is needed to provide a socket policy file.
For more information, read Setting up a socket policy file server, which gives sample code and a description of the various options available.
Impact: This will affect any content making socket connections to its own host without socket policy files.
Description: Socket communication to any port on any domain now requires a socket policy file. Previously, connections to the same host as the SWF file on a port higher than 1024 were allowed without a policy. This configuration is no longer permitted.
Impact: Developers of SWF files that send custom HTTP headers on network requests across domains will need to verify that their content works as intended.
Description: SWF content that adds custom headers to network requests going to a different domain requires a policy file that permits each specific header that will be sent. This change is true for both one-way and roundtrip network APIs. Here is an example of a policy file that permits custom HTTP headers:
<cross-domain-policy> <allow-http-request-headers-from domain="trusted.com" headers="*"/> <allow-http-request-headers-from domain="*" headers="X-Harmless-Header"/> </cross-domain-policy>
For further examples of how to configure a policy file to allow headers to be allowed by a domain, see the following TechNote: Arbitrary headers are not sent from Flash Player to a remote domain. For more information on headers and policy files, read the policy file section in "Understanding Flash Player 9 April 2008 Security Update compatibility."
Release date: Not yet released. Available as a public prerelease on Adobe Labs.
While configuring your content for changes made in Flash Player 9,0,124,0 and previous versions is all that is necessary today, Adobe strongly suggests preparing for Flash Player 10 beta changes now to avoid content disruption when Flash Player 10 beta is released.
If you would like to test your content with the security changes made in Flash Player 10 beta, you can download it from Adobe Labs.
Impact: This will affect any content that makes use of non-master HTTP policy files. Content that uses the loadPolicyFile API will usually be affected. Also, SWF files that load data from content delivery networks (CDNs) or other hosting situations where it is challenging to place files in the root directory of a server should plan ahead immediately.
Description: Any server that intends to permit data-loading by SWF files on a different domain must place a policy file in the master location (/crossdomain.xml). Other policy files can still be used on the server; however, they must be authorized through the use of meta-policies in the master policy file. If the master policy file is not in the master location, does not contain meta-policies, or is set to master-only, other policy files on the domain will be ignored by Flash Player.
If it is infeasible or undesirable to create a policy file in the master location, a meta-policy can also be declared using HTTP response headers. See the meta-policies section in "Policy file changes in Flash Player 9."
If you prefer to manage policy files on a per-directory basis, you can set up a master policy file that only sets a meta-policy. This can allow other policy files to be used without the master policy file declaring any specific permissions itself. Here are some examples of this configuration:
all, allowing any file on the server to be used as a policy file:
<cross-domain-policy> <site-control permitted-cross-domain-policies="all"/> </cross-domain-policy>
by-content-type, allowing any file on the server with the content-type
text/x-cross-domain-policyto be used as a policy file:
<cross-domain-policy> <site-control permitted-cross-domain-policies="by-content-type"/> </cross-domain-policy>
To test that your content will work with the policy file changes in Flash Player 9 and 10, you can download and install Flash Player 10 beta from Adobe Labs. This version of Flash Player includes all the security changes listed in this article as well as the other security model changes that have been preannounced for Flash Player 10 beta.
You can also turn on logging to have Flash Player record a list of errors that are encountered as a result of the policy file changes. To enable logging, follow the instructions in the logging section in "Policy file changes in Flash Player 9 and Flash Player 10 beta."
Meta-policies are an important part of refining policy file usage on servers. As either a content developer or server administrator, you should become familiar with the options that are available. For a detailed description and how they apply to HTTP and socket polcies, read the meta-policies section in "Policy file changes in Flash Player 9 and Flash Player 10 beta."