Details
New Feature
Closed
Major
Description
Flash requires a crossdomain.xml file when connecting to a foreign server. For example, let's say the flash app is served from www.example.com and the application wants to make a network connection to xmpp.example.com to do XMPP operations. That connection won't be allowed unless a crossdomain.xml file on xmpp.example.com says that it's permitted. With no intervention from the developer, Flash will attempt to find the crossdomain.xml file using an HTTP request to port 80 of xmpp.example.com in this example. However, starting with Flash 7, it's possible to make an XML socket request to find the crossdomain.xml file:
System.security.loadPolicyFile("xmlsocket://example.com:5222");
mySocket.connect("exacmple.com", 5222);
That will cause Flash to send the following request to port 5222:
<policy-file-request/>
(note, need to verify actual syntax using a Flash connection).
We should specially intercept that XML request and return crossdomain.xml contents instead of standard XMPP. It may seem a bit awkward to implement the feature this way, but it makes network settings much easier since port 5222 must already be open by the firewall. We don't want to require that users have an HTTP server on the same domain as their XMPP server, which is the motivation for this feature.
When we get a request, we should return the following:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" to-ports="5222,5223" />
</cross-domain-policy>
That allows connections from any host over ports 5222 and 5223.
Note, a good resource that talks about crossdomain.xml is at:
http://www.macromedia.com/devnet/flash/articles/fplayer_security_03.html