Flash Cross-Domain File

Skip to first unread message

Ali Mills

Nov 13, 2006, 7:05:27 PM11/13/06
to google-he...@googlegroups.com

I'm working to access the GData API with ActionScript. Before I can,
I need a permission file added to Google's servers because of the
Flash Player's security model
Is this the right forum to make such a request?

For some information on Flash's permission files, please see
Here's a excerpt from that page:

ActionScript objects instantiate two different kinds of server
connections: document-based server connections and socket connections.
ActionScript objects like Loader, Sound, URLLoader, and URLStream
instantiate document-based server connections, and these each load a
file from a URL. ActionScript Socket and XMLSocket objects make socket
connections, which operate with streaming data, not loaded documents.
Flash Player supports two kinds of policy files: document-based policy
files and socket policy files. Document-based connections require
document-based policy files, while socket connections require socket
policy files.

The popular ActionScript framework Flex
(http://www.adobe.com/products/flex/) includes a HTTPService class
that's mostly complete
but lacking in one key feature necessary to communicate with the GData
API. With the class, there's no way with to extract the an HTTP
response's headers. This feature seems like a key part of working
with GData. For example, it seems like getting a feed
(http://code.google.com/apis/gdata/calendar.html#get_feed) and
handling a CAPTCHA
challenge require the ability.

The lack of this ability combined with the lack of source code for
HTTPService has me heading in the direction of implementing HTTP and
HTTPS with the ActionScript Socket
class. Before I head down the path, I want to request that a
permission file is added to Google's servers. The file I need is a
cross-domain-policy file, or crossdomain.xml, which will give me (and
all other developers) permission to access Google data from my domain.
The contents of the file look like:


<?xml version="1.0"?>
<allow-access-from domain="*" to-ports="80,443" />


The sample file above should allow document and socket-based
connections on ports 80 and 443 from Flash clients.

Yahoo! (http://api.search.yahoo.com/crossdomain.xml), Flickr
(http://api.flickr.com/crossdomain.xml), and Google's recently
purchased YouTube (http://www.youtube.com/crossdomain.xml) all host
cross-domain files. Will GData also?



// --------------------------

More information on cross-domain-policy files can be found at the
following URLs:

Flash Player Security

Overview of permission controls

Loading data


Flash Player 9 Security white paper

Potential cross-domain issue

Reply all
Reply to author
0 new messages