XML Flash Slideshow v4 Help    |    Support Home    |    DWUser.com Home  Download Help PDF (29MB)    |    Search:

Understanding Flash Player Cross-domain Loading Restrictions

If you are loading image files (or video or audio) or external image data from a server at a different domain, you will be affected by Flash Player Security Restrictions.    In a nutshell: the Flash Player will not allow content to be loaded from a different domain than the residing SWF file sits on, unless the owner of that different domain specifically authorizes this loading.  

First, it's important to explain what qualifies as a 'diffent domain'.  Any difference in either a subdomain or root domain qualifies a URL as being an entirely different domain.  The most common example might surprise you:

You have a slideshow on http://www.example.org/slideshow.html.  You upload some images to your site, and add them to the slidehow with a URL 'http://example.org/images/image1.jpg'.  When you view the slideshow, the image fails to load and you receive a security restriction error message.    "Huh?" you say, "I'm loading from the same site!"  The issue is that the Flash Player views example.org and www.example.org as two separate domains because their subdomains aren't identical.

More intuitive examples include a slideshow at http://www.example.org/ which loads data from http://api.flickr.com/bla .  Because this is a different root domain, Flash Player security restrictions go into effect.

When you attempt to load assets (XML data, images, audio, or video files) from a different domain, the Flash Player checks to see if a crossdomain policy file has been placed on the remote server.  This is a file which is named crossdomain.xml and sits at the root of the domain's server (e.g. http://data.example.org/crossdomain.xml or http://www.dataserver.com/crossdomain.xml).  This file must either allow all domains (via the use of a wildcard) or specifically allow the domain on which your slideshow resides, or the loading will not be permitted.

To prevent loading errors (as evidenced by 'Image Failed - Security' messages and other loading errors, such as XML loading errors), you must either load from a server which specifically permits crossdomain loading (if you don't have control over the server), or place a crossdomain.xml file on the server.  Here is a simple example file, which permits loading from across all subdomains on this domain:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<allow-access-from domain="example.com"/>
<allow-access-from domain="*.example.com"/>
</cross-domain-policy>

Two live example files can be viewed at: http://search.yahooapis.com/crossdomain.xml (an open policy, with no restrictions) and http://www.amazon.com/crossdomain.xml (a more restricted policy).  You can learn more about creating crossdomain.xml files (crossdomain security policy files) at Adobe's site: http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html

Advanced users who are comfortable with server-side programming can also circumvent these restrictions through the use of a server-side proxy on the same server as hosts the slideshow.  For an example, see this blog post: http://blog.nelsonsilva.eu/2008/02/27/apache-proxy-for-crossdomain-problems/ .