Accessibility

Table of Contents

  1. Introduction
  2. Changes in behavior due to immediate strictness
  3. Meta-policies
  4. Socket policy files
  5. Workflows
  6. Appendix A: Browser dependencies
  7. Appendix B: Log message reference

Policy file changes in Flash Player 9 and Flash Player 10

Appendix A: Browser dependencies

Two of the security changes introduced in Flash Player 9,0,115,0 can only be enforced when Flash Player has access to HTTP response headers. When Flash Player is running inside a browser, this is not always possible, as some browsers do not provide HTTP response headers to Flash Player.

The two features that require HTTP response header access are as follows:

  • The Content-Type whitelist: When Flash Player has access to HTTP response headers, it rejects HTTP policy files that have non-textual Content-Type values, as well as those that have no Content-Type at all. When Flash Player does not have access to HTTP response headers, it accepts HTTP policy files regardless of their Content-Type.
  • HTTP meta-policies: When Flash Player has access to HTTP response headers, it honors the HTTP meta-policies declared in master HTTP policy files and X-Permitted-Cross-Domain-Policies response headers. When Flash Player does not have access to HTTP response headers, all HTTP servers are assumed to have a meta-policy of all.

Table 1 shows the browsers that Adobe has tested for HTTP response headers.

Table 1. Browsers tested for HTTP response headers
Browser Versions that do not provide headers Versions that provide headers
Internet Explorer (Windows) 5.5 and later
Mozilla Firefox 2.0.0.3 and earlier 2.0.0.4 and later
Safari (Macintosh) 2.x and earlier 3.x and later
Page 6 of 7
Previous Page
Next Page