Using Flex Builder 2 > Programming Flex Applications > Working with Data in Flex Builder > Managing Flash Player security

Managing Flash Player security

Flash Player does not allow an application to receive data from a domain other than the domain from which it was loaded, unless it has been given explicit permission. If you load your application SWF file from http://mydomain.com, it cannot load data from http://yourdomain.com. This security sandbox prevents malicious use of Flash Player capabilities. (JavaScript uses a similar security model to prevent malicious use of JavaScript.)

When you need to access data from a Flex application, you have three choices:

• Add a cross-domain policy file to the root of the server that hosts the data service. See Using cross-domain policy files.
• Place your application SWF file on the same server that hosts the data service.
• On the same server that contains your application SWF file, create a proxy that calls a data service hosted on another server. Setting up Flex Builder to use a proxy for accessing remote data.

Using cross-domain policy files

A cross-domain policy file is a simple XML file that gives Flash Player permission to access data from a domain other than the domain on which the application resides. Without this policy file, the user is prompted to grant access permission through a dialog box; a situation you want to avoid.

The cross-domain policy file (named crossdomain.xml) is placed in the root of the server (or servers) containing the data you want to access. The following is an example of a cross-domain policy file:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="www.yourdomain.com" />
</cross-domain-policy>

For more information about configuring cross-domain policy files, see the following tech note: http://www.adobe.com/go/tn_14213.

Setting up a proxy to access remote data

Another option for managing Flash Player security (aside from using a cross-domain policy file) is to use a proxy. Flex Data Services provides a complete proxy management system for Flex applications. You can also create a simple proxy service using a web scripting language such as ColdFusion, JSP, PHP, or ASP.

The proxy service processes requests from the application to the remote service and responses from the remote service back to the application (Flash Player).

For more information about creating your own proxy, see the following tech note: http://www.adobe.com/go/tn_16520.

Setting up Flex Builder to use a proxy for accessing remote data

After you've set up a proxy to access data from a remote service, you place the application files in the same domain as the proxy. In Flex Builder, you can modify both the project build settings and launch configuration to manage the use of a proxy.

If you use Flex Builder to compile your applications and the proxy server is also set up on your local development machine, you can modify the project build settings to automatically copy the compiled application files to the appropriate location on your Web server.

To modify the project build path:

1. In the Navigator view, select a project.
2. Right-click (Control-click on Macintosh) and select Properties from the context menu. The Project Properties dialog box appears.
3. Select the Flex Build Path properties page.
4. Change the existing output folder by entering a new path or by browsing to the appropriate folder of your web server (for example: C:\inetpub\wwwroot\myApp\).
5. Click OK.

To run and debug the application from the web server, you need to modify the project's launch configuration.

To modify the launch configuration:

1. With the project's main application file open in Flex Builder, right-click (Control-click on Macintosh) in the editor and select Run As > Run from the context menu. The Launch Configuration dialog box appears.
2. Select the project's launch configuration from the list of configurations.
3. On the Main tab you can modify the launch path by deselecting the Use Defaults check box.
4. In the Run input box, enter the URL to the main application HTML wrapper file (for example: http://localhost/myApp/myApp.html). If you're running the application directly in the stand-alone Flash Player, instead of a web browser, enter the main application SWF file.
5. In the Debug input box, enter the URL to the debug version of the application (for example: http://localhost/myApp/myApp-debug.html or http://localhost/myApp/myApp-debug.swf).
6. Click Apply and then Close.

Flex 2.01