Flex cross-origin problems

Source: Internet
Author: User

From ESRI:

The client browser will then download the SWF file. after this point, the user might not connect back to this Web server at all but rather directly to the servers containing map content and tasks. note that if your web application is not hosted on the same server as the ArcGIS Server, you will have to haveCrossdomain. xmlOn the ArcGIS Server.

About crossdomain. xml

To access data from a different server than the one hosting your flex application, the remote server needs to have a cross-domain file in the root directory. for security reasons, the Web browser cannot access data that resides outside the exact web domain where the SWF file originated. however, Adobe Flash Player can load data into SS domains if permission is granted from the server. this is accomplished by including a small crossdomain. XML file on the remote server that permits flash to connect to services on that server. for instance:

 
<? XML version = "1.0"?> <! Doctype cross-domain-Policy System "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-Policy> <site-control permitted-Cross-Domain-policies = "all"/> <allow-access- from domain = "*"/> </Cross-Domain-Policy>

For additional information, read using cross-domain policy files in the Adobe Flex 3 help, see the Adobe connector "external data not accessible outside a Macromedia Flash Movie's domain, "or view a sample cross-domain file.

Deploying crossdomain. xml

To deploy the cross-domain file on ArcGIS Server, see the instructions specific to your platform.

    • . Net
      Add crossdomain. XML to your Web server root directory, for example, C: \ Inetpub \ wwwroot.
    • Java
      Add crossdomain. XML to <arcgis_server_install_location> \ ArcGIS \ Java \ web_output, for example, c: \ Program Files \ ArcGIS \ Java \ web_output.

From Adobe:

Http://livedocs.adobe.com/flex/3/html/help.html? Content1_security2_04.html #139879

Loading assets

Update 4/30/2008:
Note: Flash Player 9.0.124 Using DES updates that affect the use of crossdomain policy files. For more information, see the policy file changes in Flash Player 9 Article in the Adobe Developer Connection.

The most common task that developers perform that requires an understanding of security is loading external assets.

Data compared to content

The Flash Player Security Model makes a distinction between loading content and accessing or loading data. content is defined as media: visual media that flash player can display, such as audio, video, or a SWF file that includes des displayed media. data is defined as something that you can manipulate only with ActionScript code.

You can load data in one of two ways: by extracting data from loaded media content, or by directly loading data from an external file (such as an XML file) or socket connection. you can extract data from loaded media by usingBitmapdata. Draw ()Method,Sound. ID3Property, orSoundmixer. computespectrum ()Method. you can load data by using classes such as the swfloader, urlstream, urlloader, socket, and xmlsocket classes.

The Flash Player Security Model defines different rules for loading content and accessing data. loading content has fewer restrictions than accessing data. in general, content such as SWF files, bitmaps, MP3 files, and videos can be loaded from anywhere, but if the content is from a domain other than that of the loading SWF file, it will be partitioned in a separate security sandbox.

Loading remote assets

Loading remote or network assets relies on three factors:

  • Type of asset. if the target asset is a content asset, such as an image file, you do not need any specific permissions from the target domain to load its assets into your flex application. if the target asset is a data asset, such as an XML file, you must have the target domain's permission to access this asset. for more information on the types of assets, see data compared to content.
  • target domain. if you are loading data assets from a different domain, the target domain must provide a crossdomain. XML policy file. this file contains a list of URLs and URL patterns that it allows access from. the Calling domain must match one of the URLs or URL patterns in that list. for more information about the crossdomain. XML file, see using cross-domain policy files. if the target asset is a SWF file, you can also provide permissions by calling the loadpolicyfile () method and loading an alternative policy file inside that target SWF file. for more information, see using cross-domain policy files.
  • loading SWF file's sandbox. to load an asset from a network address, you must ensure that your SWF file is in either the remote or local-with-networking sandbox. to ensure that a SWF file can load assets over the network, you must set the use-Network compiler option to true when you compile the flex application. this is the default. if the application was loaded from the local file system with use-Network set to false , the application is put in the local-with-filesystem sandbox and it cannot load remote SWF files.

Loading assets from a remote location that you do not control can potentially expose your users to risks. for example, the remote website B contains a SWF file that is loaded by your website. this SWF file normally displays an advertisement. however, if website B is compromised and Its SWF file is replaced with one that asks for a username and password, some users might disclose their login information. to prevent data submission, the loader has a property calledAllownetworkingWith a default valueNever.

Using Cross-Domain Policy files

To make data available to SWF files in different domains, useCross-Domain Policy File. A Cross-Domain Policy file is an XML file that provides a way for the server to indicate that its data and documents are available to SWF files served from other domains. any SWF file that is served from a domain that the server's policy file specifies is permitted to access data or assets from that server.

When a flash document attempts to access data from another domain, Flash Player attempts to load a policy file from that domain. if the domain of the flash document that is attempting to access the data is stored in the policy file, the data is automatically accessible.

The default policy file is named crossdomain. XML and resides at the root directory of the server that is serving the data. the following example policy file permits access to flash hosts ents that originate from foo.com, friendoffoo.com, * .foo.com, and 105.216.0.40:

<? XML version = "1.0"?> <! -- Http://www.foo.com/crossdomain.xml --> <cross-domain-Policy> <allow-access-from domain = "www.friendoffoo.com"/> <allow-access-from domain = "* .foo.com"/> <allow -Access-from domain = "105.216.0.40"/> </Cross-Domain-Policy>

You can also configure ports in the crossdomain. xml file. For more information about crossdomain. xml policy files, seeProgramming ActiveX 3.0.

You can useLoadpolicyfile ()Method to access a nondefault policy file.

Large-Scale Price Reduction
  • 59% Max. and 23% Avg.
  • Price Reduction for Core Products
  • Price Reduction in Multiple Regions
undefined. /
Connect with us on Discord
  • Secure, anonymous group chat without disturbance
  • Stay updated on campaigns, new products, and more
  • Support for all your questions
undefined. /
Free Tier
  • Start free from ECS to Big Data
  • Get Started in 3 Simple Steps
  • Try ECS t5 1C1G
undefined. /

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.