14 Replies Latest reply on Apr 20, 2014 9:43 PM by vsinha91

    loadPolicyFile() on crossdomain.xml with query parameters


      Dear Flex/Flash community,


      We have a large amount of SWF's hosted in an Amazon CloudFront distribution. We grant the files access to our main (EC2) servers through the use of a /crossdomain.xml file, also obviously served through that same distribution.


      We are just completing a project where we're switching to using signed URL's. The general idea is that instead of handing out eternal hot-linkable references to our media, we hand out expiring URL's that are cryptographically signed. So instead of




      I want to load the rather more voluminous


          http://d2qrbixkomwmmv.cloudfront.net/crossdomain.xml?Expires=1289933376&Key-Pair-Id=APKAIK ZM3ZNS6I3DEVDA&Signature=TiwBK2s0tt1FhsdPmFaUrbeVd~YeZQCcrCxTtZzuAI0SJvfOLR8udrwWUcoeAKFUI oNqlrHPc0j875M7qXpt9V2D~76vrd2KyA~JpUsStWP~XbMx~SDzdyCJ9v5G8xdu3TzbAtj2k9PBUJ4l6qjSMezfcIN ~OIO9TsR51gUrP5o_


      The problem is that the Flash Player doesn't consider this a valid master policy file. I don't see why. I'm all on board with requiring that ownership of a site is demonstrated by being able to place a file in the server root. But why forbid query parameters? What security purpose does that serve?


      Unfortunately, once you configure a Cloudfront distribution to require signed URLs, all the URLs on it need to be signed. This leaves us in the very unpleasant situation of having essentially completed a non-trivial transition project, only to stumble over something so silly we didn't even think of it when we started.


      Has anybody else experienced anything like this? Can anybody think of a decent workaround? Is this "working as intended" or an oversight?



        • 1. Re: loadPolicyFile() on crossdomain.xml with query parameters
          Flex harUI Adobe Employee

          My contact on the Security team does not know of a security-related reason

          this would not work.  Could be some restriction he's forgotten or could be a

          bug somewhere.


          First, let's verify:


          1) you are calling flash.system.Security.loadPolicyFile() with the url with


          2) you are calling it early

          3) you have verified with a network monitor that the request is going out as



          My contact did say that the to-ports is not "legal" in an HTTP

          crossdomain.xml so try taking that out just to be sure.

          1 person found this helpful
          • 2. Re: loadPolicyFile() on crossdomain.xml with query parameters
            Zellectronic Level 1

            Thanks for your reply! The answer is yes to 1), 2) and 3). It's pretty easy to verify the basic issue. A quick test script:


                var domain :String = "mediacloud.whirled.com";

                trace("Loading regular Policy File: http://" + domain + "/crossdomain.xml");

                Security.loadPolicyFile("http://" + domain + "/crossdomain.xml");

                trace("Loading Policy File with query: http://" + domain + "/crossdomain.xml?foo=bar");

                Security.loadPolicyFile("http://" + domain + "/crossdomain.xml?foo=bar");


            yields this output:


                Loading reguar Policy File: http://mediacloud.whirled.com/crossdomain.xml

                Loading Policy File with query: http://mediacloud.whirled.com/crossdomain.xml?foo=bar

                Warning: Ignoring <site-control> tag in policy file from http://mediacloud.whirled.com/crossdomain.xml?foo=bar.  This tag is only allowed in master policy files.



            Now, as it happens, I think I've stumbled on a solution that will work in my case. If I make sure crossdomain.xml is served with the official 'text/x-cross-domain-policy' content type, the Flash player will be partially mollified, and accept the subsequent <allow-access-from> even though it still doesn't think I'm giving it a master policy file.


            I do still think the original question stands; does the addition of query parameters make the URL less authoritative? I don't see why it would. I understand wanting not to make a security check depend too deeply on the intrincacies if URL parsing, but both the ? and the # constructs should be safe.


            I might file a bug for this and see what responses that gets. Thanks again!


            • 3. Re: loadPolicyFile() on crossdomain.xml with query parameters
              Flex harUI Adobe Employee

              My security team contact mentioned this morning that there is a difference

              between policy files and "master policy files" and the master must always be

              served from the root.  He said you could potentially put your stuff in a

              sub-folder and then have more control over security.


              Here's a snippet from his reply:


                  1. Removing the signing constraint for the /cross-domain.xml file so

              that Flash Player can request it without the 403 error.

                  2. Move the content he wants to share into a subdirectory.

                  3. Implement a child cross-domain policy in that sub-directory that has

              the signing restriction.

                  4. Use loadPolicyFile() to request the child cross-domain policy within

              that sub-directory.


                  It is the same thing, but one directory down from where he is currently

              attempting it.

              1 person found this helpful
              • 4. Re: loadPolicyFile() on crossdomain.xml with query parameters
                Zellectronic Level 1

                The problem there is that the entire domain is an Amazon CloudFront distribution, and there is no way within that API to specify granular requirements of the type you suggest. Once you enable signed URLs for a distribution, all URLs have to be signed. There's no way to do a subdirectory trick.


                I have a thread going with Amazon, too, suggesting that would be a splendid extension to the CloudFront API. :-)


                Meanwhile, the content type fix still looks promising. Thanks for your continued efforts.

                • 5. Re: loadPolicyFile() on crossdomain.xml with query parameters

                  We're having the exact problem. Did you file a bug for this?

                  • 6. Re: loadPolicyFile() on crossdomain.xml with query parameters

                    "My security team contact mentioned this morning that there is a difference

                    between policy files and "master policy files" and the master must always be

                    served from the root."


                    But that's exactly the problem - the file IS served from the root. http://www.domain.com/crossdomain.xml?someAuthParametersHere is a 100% valid URL for a root file. You guys need to admit this as a bug and fix the darn thing. It's been a pain point for private cloudfront distributions since it came out, and there's not one good reason for it.


                    This is not an Amazon issue, it's yet another annoying Flash bug that won't go away. You guys need to slow down your new features and make the current VM work the way it's supposed to.

                    • 7. Re: loadPolicyFile() on crossdomain.xml with query parameters

                      I am also having this issue with signed urls.



                      Security.loadPolicyFile('https://sample.cloudfront.net/crossdomain.xml?Expires=XXXXX&Key-Pair-Id=XXXXXX&Signature=X XXXXX')


                      I am able to stream video no problem, however I am unable to load the thumbnail images into flash.


                      var context:LoaderContext = new LoaderContext();



                      var thumbload =new Loader();



                      var request:URLRequest=new URLRequest('https://sample.cloudfront.net/thumbs/large/?Expires=XXXXX&Key-Pair-Id=XXXXXX&Signature=XXX XXX');

                      thumbload.contentLoaderInfo.addEventListener(Event.COMPLETE, iCompleteHandler);

                      function iCompleteHandler(event:Event):void {






                      When I run the above in the browser, firebug reports it loads the loadpolicy file with no errors.


                      Then it tries to load the same crossdomain file again with without the querystring with an 403 error.


                      The best part you can see that the image loads via firebug.

                      • 8. Re: loadPolicyFile() on crossdomain.xml with query parameters
                        j-eggs Level 1



                        Zellectronic's content-type fix worked for us. Did you check the content-type on the crossdomain.xml being returned?


                        Check the headers on the response, there should be a line:


                        Content-Type: text/x-cross-domain-policy


                        Content-Type: text/xml

                        When we changed ours from "text/xml" to "text/x-cross-domain-policy" we still received a warning in the trace output, but the images showed up in the application.

                        • 9. Re: loadPolicyFile() on crossdomain.xml with query parameters

                          It doesn't appear this has been fixed yet.


                          I have a crossdomain.xml file in the root directory of my CDN, but I need to add a query parameter to it to sign the request. The entire domain is protected at Akamai, so if I want to access any files (including the crossdomain.xml file), I need to add a security token as a query parameter.


                          A query parameter does not change the fact that the crossdomain.xml file is placed in the root directory - it should be valid.

                          • 10. Re: loadPolicyFile() on crossdomain.xml with query parameters

                            It appears this still hasn't been fixed even in the latest version of Flash player. Come on Adobe... you guys are still actively working on Flash, aren't you? I ran up against the exact same issue when trying to access video bitmap data from video files delivered through Akamai. We have an "origin server" setup where I work where we host the video files on our own internal servers and then they get "pulled" into Akamai for a minimum 24 hour period upon request -- but as far as Flash player is concerned, it looks like they are simply stored on Akamai. The problem is that on our "protected" media CDN setup, we have to use authentication tokens passed as URL parameters. I can confirm that passing any sort of URL parameters to a root crossdomain.xml file on the server results in Flash player essentially ignoring the file and attempting to re-download it without the URL parameters which, of course, fails due to the authentication system. As others have pointed out, this only happens if the MIME type returned for the file comes back as text/xml. I can also confirm that forcing the MIME type to return as text/x-cross-domain-policy in this situation does indeed seem to fix the problem even though it still attempts to download the file again without the URL parameters but at least Flash player actually applies the policy file the first time. I can't think of a single good reason why Flash player would be designed to do this... it shouldn't care about URL parameters being passed to a crossdomain.xml file at all.


                            Side note, on our public CDN setup, which requires no authentication tokens to be passed as URL parameters, Flash player is more than happy to download and apply the root crossdomain.xml file -- even when the MIME type is returned as text/xml. This seems to most definitely be a bug to me... but since there's been no fix released in the 1-2 years since this has been reported, I'm not holding my breath for one.

                            • 11. Re: loadPolicyFile() on crossdomain.xml with query parameters
                              Flex harUI Adobe Employee

                              That the player is consistent about requiring a particular MIME type?  If you have a simple test case, file a bug against the player at bugbase.adobe.com.

                              • 12. Re: loadPolicyFile() on crossdomain.xml with query parameters
                                seanhsmith Level 1

                                That's the thing, it's not consistent about requiring a particular MIME type. Without any URL parameters, it will happily apply a crossdomain.xml policy file that has a MIME type of "text/xml" returned with it. However, if you are using URL parameters because you need to pass an authentication token to it, for example, you must return a MIME type of "text/x-cross-domain-policy" or it will not be applied. This may not be possible for certain people depending on their server configuration(s).


                                Thanks for the link. I have submitted a bug after searching for and not finding any that appear to describe the same issue. The URL of the bug tracker is: https://bugbase.adobe.com/index.cfm?event=bug&id=3193840

                                • 13. Re: loadPolicyFile() on crossdomain.xml with query parameters
                                  seanhsmith Level 1

                                  After a long time, this is my first visit back to this page after seeing a comment I had put in our source code dealing with this issue. I just realized that I never responded in that we had verified that the Content-type fix does indeed work-around the issue.


                                  Just to recap, like others we have video files hosted on Akamai's CDN in both public and protected domains. The protected domain requires an authorization key to be sent as a URL parameter when requesting a file from it. The problem was that calling Security.loadPolicyFile() on the crossdomain.xml in the root of this site would result in Flash downloading the policy file but it would not apply it. This resulted in our thumbnail generator, where our clients can seek through a video and then click a button to generate a thumbnail, throwing a security error when it tried to access the video's bitmap data because of the cross-domain security sandbox.


                                  The solution for us was to rename crossdomain.xml to crossdomain.xdp (an extension I made up -- I was thinking "cross domain policy") and we configured IIS on our own servers (Akamai echoes the headers your own server will return with the file) to return a specific Content-type header for this extension: text/x-cross-domain-policy


                                  Once this change was made, the cross domain policy file would be applied normally. As of Flash 12 this still appears to be required.

                                  • 14. Re: loadPolicyFile() on crossdomain.xml with query parameters

                                    One solution is using multiple behaviour on the cloudfront distribution. Cloudfront allows you add behaviours based on reuqest path. So for using crossdomain.xml in the root, one can add a behaviour with pattern /crossdomain.xml and allow this to be accessed without signing.


                                    This will result in all files other than crossdomain.xml file requiring signing, thus solving the problem. I tested it and it is working.