What is crossdomain.xml file?

Question

Actually I wish I knew where to start from...

I have embedded an third party SWF image gallery control, in an personal website of mine.

The SWF is XML driven. I load the XML file on the fly as follows....

  var flashvars = { xmlPath: "http://www.example.com/xml.aspx" };
                var params = { allowFullScreen: "true", wmode: "transparent", allowScriptAccess: "always"};
                var attributes = {};
                swfobject.embedSWF("main.swf", "gallery", "100%", "100%", "9.0.0", "expressInstall.swf", flashvars, params, attributes);

The problem is that the page did not work as expected. Actually it worked only in Firefox, not in Chrome or I.E.

After checking the requests with fiddler, i found that the file crossdomain.xml was not found. So, stackoverflow helped me finding a sample...

<?xml version="1.0" ?>
<cross-domain-policy>
  <site-control permitted-cross-domain-policies="master-only"/>
  <allow-access-from domain="*"/>
  <allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

After adding the crossdomain.xml the webpage now works in Firefox AND I.E. In Chrome i still have a problem.

So here are a couple of questions...

1) What is the crossdomain.xml?

2) How can i make my webpage work in Chrome too?

score 24 · Accepted Answer · edited May 23 '17 at 11:53

24

"A cross-domain policy file is an XML document that grants a web client—such as Adobe Flash Player, Adobe Reader, etc.—permission to handle data across multiple domains.". Taken from Adobe website http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html.

EDIT: Answer to question 2: Flex crossdomain.xml not working correctly in Chrome/Firefox?. Install Adobe Flash Player for developers, Fiddler (or similar), these tools should make your life easier. Also read http://kb2.adobe.com/cps/839/cpsid_83950.html.

edited May 23 '17 at 11:53

Community

1
1

answered Nov 13 '10 at 19:46

Tomas Voracek

5,735
1
22
39

Thank you! Could you point me why the SWF does not work with Chrome too? – OrElse Nov 13 '10 at 20:01
15

i think it is because SO is faster and easier than Google :) – Nov 13 '10 at 20:12
Actually i learned about the missing crossdomain.xml file with the aid of fiddler – OrElse Nov 13 '10 at 22:58
@JNF no worries, without sites like SO, google cannot answer any question at all, so keep posting, asking, trying, sharing. Cheers! – Adi Jan 23 '13 at 21:37
1

@JNF Pssst. That was intended ;-) – Tomas Voracek Apr 01 '13 at 21:10
"I always wonder why..." So you're one of those people who trusts everything you read on the internet? I always wonder why people keep complaining about that. SO wouldn't exists if everyone just used Google. How about 1) Google search isn't a system of trust, 2) We can't "correct" google search results, 3) You could spend all day looking for an answer and a) never use the correct search terms, or b) use the correct search terms and find bad information. – jonschlinkert Oct 16 '13 at 16:25
1

@jonschlinkert C'mon, I am not that stupid. Why so serious? I am not saying anything about what source you should trust! Also, do you think SO is always correct? Not by a long shot. I've seen countless of incorrect answers, a lot of those were even marked as accepted... – Tomas Voracek Oct 16 '13 at 19:01
Not the downvoter, however it is better to answer the question with a quotation and then link to the source. If you answer just with links your answer becomes invalid as soon as the links change. It also means people coming here for a quick one sentence answer will need to load another web page. – AnnanFay Jun 03 '14 at 19:27
Even I am getting this issue, Insecure crossdomain.xml file **https://nvmbd1bkh150v02.in.ril.com/crossdomain.xml** but as per this case, I dont even have a SWF file. So what could be the reason in my case. ? – hud Sep 03 '18 at 11:21

score 8 · Answer 2 · answered Nov 13 '10 at 23:08

8

And for all the newbies out there just like me, the SWF works in Chrome too!

The difference was that http://www.example.com and http://example.com are TWO DIFFERENT "entity s".

I was loading the file to var flashvars = { xmlPath: "http://www.example.com/xml.aspx" }; and made my tests with Chrome, on a "different domain" http://example.com

answered Nov 13 '10 at 23:08

OrElse

8,657
36
127
234

That's a bit weird though. As defined [here](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy), the description of origin is: Protocol + Port + Hostname. Not sure but may be the hostname is different in both cases. – aka_007 Oct 27 '16 at 12:25

What is crossdomain.xml file?

2 Answers2

Linked