Aral Balkan

I just stumbled on a simple little site called crossdomainxml.org that is devoted to the hugely useful yet somewhat shy and strangely mysterious crossdomain.xml file.

In the early days of Flash, the security sandbox was quite lax and sandbox security errors were almost unheard of. With each new version, however, Adobe (ok, ok, Macromedia) heightened the security of the player to address XSS (cross-site scripting) issues and other security concerns (like the hijacking of trusted network data from untrusted networks).

Instead of blocking data transfer between domains fully as Ajax does, however, Macromedia implemented the crossdomain.xml file so that server administrators can grant access to the data on their servers to either a list of selected domains or to any domain. Among other things, this makes it possible to consume web services from various public web APIs without using a server-side proxy but it does mean that the server has to implement either an open crossdomain.xml file (use the allow-access-from domain="*" rule) or that the server administrator has to add your domain to the list of allowed domains in the crossdomain.xml file. But which public services do this? This is where crossdomainxml.org comes in.

The site currently lists four public web service providers that have implemented open crossdomain.xml files. These are Yahoo!, YouTube, Flickr, and Amazon. It also links to several articles with more information on crossdomain.xml files.

I'm glad to see high-profile services implementing the crossdomain.xml file as it means that Flash developers can play with these services easily and create fun mashups without writing server-side code. For real-world applications, of course, you should be consuming web services on the server and exposing the data to your Flash/Flex client through an efficient protocol such as Flash Remoting (AMF).

Consuming web services on the server as several advantages. Most importantly, there's the security advantage. Always remember never to put any sensitive information inside your public-facing SWF files. For example, I cringe whenever I see ActionScript that contains database connection information -- you might as well not use a password if you're going to do that. This also applies to any private keys you may be using to access a web service. Don't forget that anyone can disassemble a SWF to get at any information that's included in it. At the very least, they can use your key to make API requests and use up your quota. If the web service is one that you are paying for, this could be an expensive mistake to make! Consuming services on the server also means that you can implement redundancies in case the public web service becomes available (e.g., use a local cache.)

Comments

• I've got two more (no contact info there, so i post them here) mog.com: http://mog.com/crossdomain.xml last.fm: http://ws.audioscrobbler.com/crossdomain.xml

  by Claus Wahlers on 2006-09-23 15:41:16

• Another here: http://musicbrainz.org/crossdomain.xml :)

  by Owen van Dijk on 2006-09-23 17:35:51

• Great post, try googling 'crossdomain filetype:xml'

  by ktec on 2006-09-29 09:06:01

• Has anyone come up with a solution for the following issue: You have a web site that resides in one domain and you serve video comming from a streaming server which obviously is on a different domain. If you make a snapshot of the site/section using Birmap Object its blank because it trys to capture data from another domain and this is not allowed. Why would anyone want to make a snapshot? - for example because you may want to be able to make transitions over that snapshot instead of animating things over the real objects simply for performance reasons

  by Svetoslav Sotirov on 2006-09-29 16:02:50

• [...] http://aralbalkan.com/740 Enregistré dans : Blog by thibault monereau | [...]

  by Thibault Monereau, le blog » A site dedicated to crossdomain.xml on 2006-12-12 12:46:53

• Precious info: many thanks...

  by Romano on 2008-01-29 14:40:17

• Thanks

  by Ahmet on 2008-10-31 08:50:26

• what happened to the site - it seems to redirect to adobe.com now

  by Stefan Richter on 2008-11-06 09:44:52

• So basically you need to create a crossdomain.xml and store it into your server that serve the services in order the flash sandbox sercurity issue to be solved?

  by johnny on 2008-07-30 18:56:11

• thansk

  by çet on 2008-10-23 21:29:06

• crossdomain seem sitamap? xml thanks

  by karaz on 2008-10-02 06:11:25

• I want to display rss feed of www.cbc.ca for news in flash. I am using their rss url. I can get that data loaded on my machine, but when I uploaded same code (I have free webhosting acct), I can not see the news. It gives no error, but it doesn't display the data. Can anyone guide me how to achive this. I parsed the xml in actionscript2.0. Is their cross-domain issue in this case and how to solve it? Thanks in advance, Decosta

  by Decosta on 2009-01-29 00:58:17

• Another one: http://www.nws.noaa.gov/crossdomain.xml

  by Joe Gannon on 2009-07-14 15:27:37

• good post, thanks admin

  by Sağlık Videoları on 2010-01-25 23:50:45

• Yeahh. Thank

  by Blogcu on 2010-01-23 15:55:16

• thanks very nice site.

  by sikis izle on 2010-01-23 17:03:00

• tenk yu sites.

  by sikis izle on 2010-01-23 17:03:32

• thanks sikis izle

  by sikis on 2010-01-23 17:04:33

• tesekkürler..

  by yalitim on 2010-01-23 17:04:53

• Great article. Thank you

  by amatör sesler on 2010-01-23 18:37:41

• Thankssssaa

  by driver download on 2010-01-23 19:41:26

• So basically you need to create a crossdomain.xml and store it into your server that serve the services in order the flash sandbox sercurity issue to be solved?

  by driver download on 2010-01-23 19:42:01

• Thank you good word.

  by Emzik on 2010-02-28 15:11:52

• At last a moment of clarity, in plain English too! Great article will follow your links with optimism.

  by steve elson on 2010-04-22 21:34:02

• Hi Aral, thanks for the helpful post on the crossdomain mystery :) I also wrote a brief post on my blog covering this: http://schabby.de/crossdomain-xml-demystified/ Regards, Johannes

  by Johannes on 2010-06-01 10:28:03

• Took me time to read all the comments, but I really enjoyed the article. It proved to be Very helpful to me and I am sure to all the commenters here! It’s always nice when you can not only be informed, but also entertained! I’m sure you had fun writing this article.

  by driver indir on 2010-05-18 18:36:00

• Sadly, the crossdomainxml.org site is down.

  by Kaleb Hornsby on 2010-10-14 23:07:48

• we feel so glad to have you visit our website, we here mainly introsuce our leading product<a

  by ugg boots on 2010-12-14 03:39:51

• Has anyone come up with a solution for the following issue: You have a web site that resides in one domain and you serve video comming from a streaming server which obviously is on a different domain. If you make a snapshot of the site/section using Birmap Object its blank because it trys to capture data from another domain and this is not allowed.

  by Multihack indir on 2011-03-27 20:08:02

• I tried your plugin and really like it. However it does not work. I am using de newest wordpress version, the pixeled theme and JQuey Colorbox. I am experiencing the same problem as other had in this post. A large black space without buttons. Adding the widget via sociofluid.com does work but is very very slow. I would really like to have this plugin working on my website. Can you help me out? Kind regards,

  by Driver indir on 2011-03-27 20:07:40

• So basically you need to create a crossdomain.xml and store it into your server that serve the services in order the flash sandbox sercurity issue to be solved?

  by Driver indir on 2011-04-06 05:47:03

• Soo baasically you need to create a crossdomain.xml and store it into your server that serve the services in order the flash sandbox sercurity issue to be solved?

  by Bitkisel Çözüm on 2011-04-06 05:47:35

• So basically you need to create a crossdomain.xml and store it into your server tahat serve thde services in order the flash sandbox sercurity issue to be solved?

  by Akliselim on 2011-04-06 05:48:02

• My site keeps getting spammed. How do you keep your own website complimentary of it?

  by Liz Embleton on 2012-04-10 22:59:47