4 Replies Latest reply on May 28, 2007 8:29 AM by Flama22

    Will I need a crossdomain.xml file?

      I have been working on my first Flex application and it builds several menu structures based on data received from external XML files. Everything works fine when running the project within Flex Builder but when I move the build directory (/bin) to another location it does not load my menus. I have since found out this is because of the security setting the projects build directory gets and to get my files to work elsewhere I will need a crossdomain.xml file.

      After researching how crossdomain.xml files work I'm wondering if in my case I should even need one because the files my SWF are loading will already be placed on the local machine - not a server. Still, the application is not working so I have tried a crossdomain.xml anyways using the following code:

      <?xml version="1.0"?>
      <!DOCTYPE cross-domain-policy SYSTEM " http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

      <allow-access-from domain="192.168.*" secure="false"/>

      The file seems to have no effect (althought the "192.168.*" string I used may not be what I want) and I'm looking for other options. Also, I was originally getting my XML from an HTTPRequest but am now using a URLRequest() which then converts the content to XML which I find cleaner in the code.

      Any ideas keeping in mind this application will have all its content loaded from CD onto the users local drive?
        • 1. Re: Will I need a crossdomain.xml file?
          peterent Level 2
          This is always a little confusing. Here's how it works. The Flash Player is aware of which domain is referenced when the first SWF is loaded. The "domain" could be www.adobe.com or labs.adobe.com or The Flash Player thinks of this as its home domain. Any reference to any other domain is a security concern. Even if that happens to be "localhost".

          Things work from Flex Builder because Flex Builder registers its directories with the Flash Player and makes everything have the security level of "local-trusted". This means your Flex app can load files from anywhere - the local file system (via HTTPService for example, not a direct read of the file) or from the network.

          When you move your SWF to another place, such as a web server, that server's domain becomes the home, trusted domain for the Flash Player when it loads a SWF from there. If your data file is in the same domain as the SWF (eg, in the same directory or a sub-directory), then the Flash Player won't have a problem loading it.

          HTTPService url="mydata/myfile.xml" or url="/flex/mydata/myfile.xml" work because they are relative paths to where the SWF is located and thus, in the same domain. However, if you do: url=" http://localhost/mydata/myfile.xml" and the SWF is now coming from a web server in a different domain (foreign domain), then its a security problem.

          In order for the Flash Player to be allowed to load data from outside the home domain, there must be something that authorizes it. That's the crossdomain.xml file. When the Flash Player sees that you are going to load a file from a different domain, it asks that domain for its crossdomain.xml file. The Player then looks to see if its home domain is among those allowed to access files. If not, security error. If the home domain is present, then the file is requested.

          The crossdomain.xml file should list the home domain of the SWF, not your machine's domain or IP address. For example, suppose the SWF is now on adobe.com and is launched like this: http://www.adobe.com/flex/YourApp.html. The Flash Player will assume that www.adobe.com is its home domain. Even if you are in the abcxyz.com domain.

          Now your Flex app wants to load http://localhost/mydata/myfile.xml. The Player will ask for http://localhost/crossdomain.xml and look to see if www.adobe.com is allowed access.

          To recap:
          The domain of the first SWF loaded into the Player is the home domain.

          Any access to data outside of the home domain requires a crossdomain.xml file.

          The crossdomain.xml file should be at the context root of the domain (eg, http://www.adobe.com/crossdomain.xml or http://localhost/crossdomain.xml). The home domain must be granted access to load any resources from the foreign domain.

          If you are using Flex Data Services and you have useProxy="true" on your data service request, then some different security rules apply. Let us know if that's the case.
          • 2. Re: Will I need a crossdomain.xml file?
            Flama22 Level 1
            Thanks for the reply Peter. It was one of your earlier posts that I read that let me know this was probably a crossdomain.xml issue and got me pointed in that direction to begin with. I was just reading a blog entry by Mike Potter, also from Adobe ( http://blogs.adobe.com/mikepotter/2006/08/running_a_flex.html), which might also help me, as I have been using relative paths, but unfortunitly something else has come up here at work and I won't be able to look into it until Monday.

            I have this thread bookmarked though and will go through what you've said next week and I will probably have more questions then too.
            • 3. Re: Will I need a crossdomain.xml file?
              Flama22 Level 1
              I've read over your reply more carefully now and it seems to verify what I already thought. The SWF file I am launching is found on my hard drive so therefore my home domain would be "localhost". Since the XML files I am linking it to are also found in the same directory I should be able to use relitive paths to them and a crossdomain.xml file would not be needed as all the files are being launched and linked from the same home domain.

              Am I missing something here?
              • 4. Re: Will I need a crossdomain.xml file?
                Flama22 Level 1
                After some more research I found a simple solution to my problem:

                In the Project Properties (Project > Properties) under the Flex Compiler tab there is a field for addition compiler arguments where I appended "-use-network=false". This line tells Flex that it is being loaded locally and does not need to go out onto the internet for additional resources. After recompiling my code with this I was able to copy my /bin folder out of the build directory and even onto the network and have it load correctly.

                If anyone out there uses this remember to put a space between the compiler arguments otherwise it won't work (ie. "-locale en_US -use-network=false").