23 Sep 2006

I just stumbled on a simple little site called crossdomainxml.org that is devoted to the hugely useful yet somewhat shy and strangely mysterious crossdomain.xml file.

In the early days of Flash, the security sandbox was quite lax and sandbox security errors were almost unheard of. With each new version, however, Adobe (ok, ok, Macromedia) heightened the security of the player to address XSS (cross-site scripting) issues and other security concerns (like the hijacking of trusted network data from untrusted networks).

Instead of blocking data transfer between domains fully as Ajax does, however, Macromedia implemented the crossdomain.xml file so that server administrators can grant access to the data on their servers to either a list of selected domains or to any domain. Among other things, this makes it possible to consume web services from various public web APIs without using a server-side proxy but it does mean that the server has to implement either an open crossdomain.xml file (use the allow-access-from domain="*" rule) or that the server administrator has to add your domain to the list of allowed domains in the crossdomain.xml file. But which public services do this? This is where crossdomainxml.org comes in.

The site currently lists four public web service providers that have implemented open crossdomain.xml files. These are Yahoo!, YouTube, Flickr, and Amazon. It also links to several articles with more information on crossdomain.xml files.

I'm glad to see high-profile services implementing the crossdomain.xml file as it means that Flash developers can play with these services easily and create fun mashups without writing server-side code. For real-world applications, of course, you should be consuming web services on the server and exposing the data to your Flash/Flex client through an efficient protocol such as Flash Remoting (AMF).

Consuming web services on the server as several advantages. Most importantly, there's the security advantage. Always remember never to put any sensitive information inside your public-facing SWF files. For example, I cringe whenever I see ActionScript that contains database connection information -- you might as well not use a password if you're going to do that. This also applies to any private keys you may be using to access a web service. Don't forget that anyone can disassemble a SWF to get at any information that's included in it. At the very least, they can use your key to make API requests and use up your quota. If the web service is one that you are paying for, this could be an expensive mistake to make! Consuming services on the server also means that you can implement redundancies in case the public web service becomes available (e.g., use a local cache.)

Creative Commons LicenseThe A site dedicated to crossdomain.xml article by Aral Balkan, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial 2.0 UK: England License.

Add Your Comment

Spam Protection by WP-SpamFree

A site dedicated to crossdomain.xml

33 Comments »

  1. I’ve got two more (no contact info there, so i post them here)
    mog.com: http://mog.com/crossdomain.xml
    last.fm: http://ws.audioscrobbler.com/crossdomain.xml

    Claus Wahlers

  2. Another here: http://musicbrainz.org/crossdomain.xml :)

    Owen van Dijk

  3. Great post, try googling ‘crossdomain filetype:xml’

    ktec

  4. Has anyone come up with a solution for the following issue:
    You have a web site that resides in one domain and you serve video comming from a streaming server which obviously is on a different domain.
    If you make a snapshot of the site/section using Birmap Object its blank because it trys to capture data from another domain and this is not allowed.
    Why would anyone want to make a snapshot? – for example because you may want to be able to make transitions over that snapshot instead of animating things over the real objects simply for performance reasons

    Svetoslav Sotirov

  5. [...] http://aralbalkan.com/740 Enregistré dans : Blog by thibault monereau | [...]

    Thibault Monereau, le blog » A site dedicated to crossdomain.xml

  6. Precious info: many thanks…

    Romano

  7. So basically you need to create a crossdomain.xml and store it into your server that serve the services in order the flash sandbox sercurity issue to be solved?

    johnny

  8. crossdomain seem sitamap? xml

    thanks

    karaz

  9. thansk

    çet

  10. Thanks

    Ahmet

  11. what happened to the site – it seems to redirect to adobe.com now

    Stefan Richter

  12. I want to display rss feed of http://www.cbc.ca for news in flash. I am using their rss url. I can get that data loaded on my machine, but when I uploaded same code (I have free webhosting acct), I can not see the news. It gives no error, but it doesn’t display the data. Can anyone guide me how to achive this. I parsed the xml in actionscript2.0. Is their cross-domain issue in this case and how to solve it?
    Thanks in advance,
    Decosta

    Decosta

  13. Another one:

    http://www.nws.noaa.gov/crossdomain.xml

    Joe Gannon

  14. Yeahh. Thank

    Blogcu

  15. thanks very nice site.

    sikis izle

  16. tenk yu sites.

    sikis izle

  17. thanks sikis izle

    sikis

  18. tesekkürler..

    yalitim

  19. Great article. Thank you

    amatör sesler

  20. Thankssssaa

    driver download

  21. So basically you need to create a crossdomain.xml and store it into your server that serve the services in order the flash sandbox sercurity issue to be solved?

    driver download

  22. good post, thanks admin

    Sağlık Videoları

  23. Thank you good word.

    Emzik

  24. At last a moment of clarity, in plain English too! Great article will follow your links with optimism.

    steve elson

  25. Took me time to read all the comments, but I really enjoyed the article. It proved to be Very helpful to me and I am sure to all the commenters here! Its always nice when you can not only be informed, but also entertained! Im sure you had fun writing this article.

    driver indir

  26. Hi Aral, thanks for the helpful post on the crossdomain mystery :) I also wrote a brief post on my blog covering this: http://schabby.de/crossdomain-xml-demystified/

    Regards,

    Johannes

    Johannes

  27. Sadly, the crossdomainxml.org site is down.

    Kaleb Hornsby

  28. we feel so glad to have you visit our website, we here mainly introsuce our leading product<a

    ugg boots

  29. I tried your plugin and really like it. However it does not work. I am using de newest wordpress version, the pixeled theme and JQuey Colorbox. I am experiencing the same problem as other had in this post. A large black space without buttons. Adding the widget via sociofluid.com does work but is very very slow.

    I would really like to have this plugin working on my website. Can you help me out?

    Kind regards,

    Driver indir

  30. Has anyone come up with a solution for the following issue:
    You have a web site that resides in one domain and you serve video comming from a streaming server which obviously is on a different domain.
    If you make a snapshot of the site/section using Birmap Object its blank because it trys to capture data from another domain and this is not allowed.

    Multihack indir

  31. So basically you need to create a crossdomain.xml and store it into your server that serve the services in order the flash sandbox sercurity issue to be solved?

    Driver indir

  32. Soo baasically you need to create a crossdomain.xml and store it into your server that serve the services in order the flash sandbox sercurity issue to be solved?

    Bitkisel Çözüm

  33. So basically you need to create a crossdomain.xml and store it into your server tahat serve thde services in order the flash sandbox sercurity issue to be solved?

    Akliselim