Can someone post a well formed crossdomain.xml sample?

Asked 17/10, 2008 at 18:19 Answered 18/7, 2015 at 5:52

I've been reading that Adobe has made crossdomain.xml stricter in flash 9-10 and I'm wondering of someone can paste me a copy of one that they know works. Having some trouble finding a recent sample on Adobe's site.

Plain answered 17/10, 2008 at 18:19 Comment(1)

This might seem dangerously obvious, but as a Flash developer with 10 years experience, I can tell you that every policy file I've ever implemented has failed at not even pretended to work... until today. Turns out you need to ACTUALLY LOAD the policy file yourself. The docs make it sound like Flash will automatically go looking for crossdomain.xml files by itself prior to having a SecuritySandbox error. So if you're struggling, make sure you ARE LOADING the policy file: Security.loadPolicyFile("example.com/crossdomain.xml") – Yeorgi 7/4, 2017 at 3:18

103

This is what I've been using for development:

<?xml version="1.0" ?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

This is a very liberal approach, but is fine for my application.

As others have pointed out below, beware the risks of this.

Heliopolis answered 17/10, 2008 at 18:23 Comment(4)

This works in a sense, but please note the risks: this means that any website can send requests to your website on the user's behalf, cookies and all, and read the response without issue. For most web apps, this is a huge security vulnerability. So, while this approach has its place, please know the risks and take a strict whitelist approach when necessary (which is almost always for production apps). – Celtuce 19/8, 2011 at 23:38

Do not use this outside development. This exactly matches the example of a "badly configured crossdomain.xml" from the hardened PHP project. – Tomfool 29/1, 2015 at 10:54

if you're serving the file yourself, remember to set the correct contentType: "text/x-cross-domain-policy" – Contradict 17/7, 2015 at 9:32

There is one (and only one) circumstance where this would be acceptable in a production environment: where you are installing it on a domain that only serves static files for the use of applications on other domains. Example: you have an "images.mydomain.com" subdomain that serves all of your site's images (presumably using some kind of CDN) and nothing else. – Emmy 16/9, 2016 at 7:3

If you're using webservices, you'll also need the 'allow-http-request-headers-from' element. Here's our default, development, 'allow everything' policy.

<?xml version="1.0" ?>
<cross-domain-policy>
  <site-control permitted-cross-domain-policies="master-only"/>
  <allow-access-from domain="*"/>
  <allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

Busily answered 18/10, 2008 at 18:0 Comment(4)

perhaps you should mention if / how this could be dangerous? – Budgie 11/11, 2010 at 23:14

Where to save this XML file – Rosenblatt 28/7, 2014 at 4:10

I always use Adobe's scheme. Here is an example of a loose one: https://mcmap.net/q/260783/-flash-and-multiple-domain-sub-domains-gt-crossdomain-xml – Cutworm 17/10, 2014 at 21:39

Save on the domain level that you wish it to affect. eg. example.com/crossdomain.xml – Marishamariska 19/11, 2014 at 14:27

Take a look at Twitter's:

http://twitter.com/crossdomain.xml

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
    <allow-access-from domain="twitter.com" />
    <allow-access-from domain="api.twitter.com" />
    <allow-access-from domain="search.twitter.com" />
    <allow-access-from domain="static.twitter.com" />
    <site-control permitted-cross-domain-policies="master-only"/>
    <allow-http-request-headers-from domain="*.twitter.com" headers="*" secure="true"/>
</cross-domain-policy>

Heterophyllous answered 29/3, 2011 at 12:21 Comment(1)

or adobe.com/crossdomain.xml or github.com/crossdomain.xml or twitter.com/crossdomain.xml or facebook.com/crossdomain.xml or google.com/crossdomain.xml or bing.com/crossdomain.xml or medium.com/crossdomain.xml or developers.google.com/crossdomain.xml – Greg 14/7, 2019 at 22:26

In production site this seems suitable:

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="www.mysite.com" />
<allow-access-from domain="mysite.com" />
</cross-domain-policy>

Corner answered 21/4, 2012 at 13:41 Comment(0)

A version of crossdomain.xml used to be packaged with the HTML5 Boilerplate which is the product of many years of iterative development and combined community knowledge. However, it has since been deleted from the repository. I've copied it verbatim here, and included a link to the commit where it was deleted below.

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
  <!-- Read this: https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html -->

  <!-- Most restrictive policy: -->
  <site-control permitted-cross-domain-policies="none"/>

  <!-- Least restrictive policy: -->
  <!--
  <site-control permitted-cross-domain-policies="all"/>
  <allow-access-from domain="*" to-ports="*" secure="false"/>
  <allow-http-request-headers-from domain="*" headers="*" secure="false"/>
  -->
</cross-domain-policy>

Deleted in #1881
https://github.com/h5bp/html5-boilerplate/commit/58a2ba81d250301e7b5e3da28ae4c1b42d91b2c2

Pour answered 18/7, 2015 at 5:52 Comment(0)

Recommended topics

Hot tags