Flash Cross-Domain File
Ali Mills
I'm working to access the GData API with ActionScript. Before I can,
I need a permission file added to Google's servers because of the
Flash Player's security model
(http://livedocs.macromedia.com/flex/2/docs/wwhelp/wwhimpl/js/html/wwhelp.htm?href=00001950.html).
Is this the right forum to make such a request?
For some information on Flash's permission files, please see
http://livedocs.macromedia.com/flex/2/docs/wwhelp/wwhimpl/js/html/wwhelp.htm?href=00001950.html.
Here's a excerpt from that page:
<snip>
ActionScript objects instantiate two different kinds of server
connections: document-based server connections and socket connections.
ActionScript objects like Loader, Sound, URLLoader, and URLStream
instantiate document-based server connections, and these each load a
file from a URL. ActionScript Socket and XMLSocket objects make socket
connections, which operate with streaming data, not loaded documents.
Flash Player supports two kinds of policy files: document-based policy
files and socket policy files. Document-based connections require
document-based policy files, while socket connections require socket
policy files.
</snip>
The popular ActionScript framework Flex
(http://www.adobe.com/products/flex/) includes a HTTPService class
(http://livedocs.macromedia.com/flex/2/langref/mx/rpc/http/HTTPService.html)
that's mostly complete
(http://blogs.adobe.com/kiwi/2006/07/making_http_calls_in_actionscr.html)
but lacking in one key feature necessary to communicate with the GData
API. With the class, there's no way with to extract the an HTTP
response's headers. This feature seems like a key part of working
with GData. For example, it seems like getting a feed
(http://code.google.com/apis/gdata/calendar.html#get_feed) and
handling a CAPTCHA
(http://code.google.com/apis/accounts/AuthForInstalledApps.html#Response)
challenge require the ability.
The lack of this ability combined with the lack of source code for
HTTPService has me heading in the direction of implementing HTTP and
HTTPS with the ActionScript Socket
(http://livedocs.macromedia.com/flex/2/langref/flash/net/Socket.html)
class. Before I head down the path, I want to request that a
permission file is added to Google's servers. The file I need is a
cross-domain-policy file, or crossdomain.xml, which will give me (and
all other developers) permission to access Google data from my domain.
The contents of the file look like:
----8<------------
<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" to-ports="80,443" />
</cross-domain-policy>
---->8------------
The sample file above should allow document and socket-based
connections on ports 80 and 443 from Flash clients.
Yahoo! (http://api.search.yahoo.com/crossdomain.xml), Flickr
(http://api.flickr.com/crossdomain.xml), and Google's recently
purchased YouTube (http://www.youtube.com/crossdomain.xml) all host
cross-domain files. Will GData also?
Thanks.
Ali
// --------------------------
More information on cross-domain-policy files can be found at the
following URLs:
Flash Player Security
http://livedocs.macromedia.com/flex/2/docs/wwhelp/wwhimpl/common/html/wwhelp.htm?context=LiveDocs_Parts&file=00001957.html#145624
Overview of permission controls
http://livedocs.macromedia.com/flex/2/docs/wwhelp/wwhimpl/common/html/wwhelp.htm?context=LiveDocs_Parts&file=00001957.html#145624
Socket.connect()
http://livedocs.macromedia.com/flex/2/langref/flash/net/Socket.html#connect()
Flash Player 9 Security white paper
http://www.adobe.com/go/fp9_0_security
Potential cross-domain issue
http://shiflett.org/archive/250
http://shiflett.org/archive/263