gruchalski.com

For a long time I couldn’t really understand what crossdomain.xml is for. Today, after finishing one the Flex projects I finally figured it out. At least one of two reasons. About 4 years ago Martijn de Visser described one of them – defending your internal network from the attacks. But there is another way reason why crossdomain.xml is good.

Let’s say I’m developing some smart module and I let people download and load it from their domains but there are some specific sites that I want to prohibit. I’m going to use this very simple module to demonstrate how this can be achieved.

[sourcecode lang='xml']


 

[/sourcecode]

Suppose that I let http://www.friend1.com and http://www.friend2.com use it but http://www.pron.com shouldn’t be allowed. When I modify the code a bit I will use Flash Player sandboxing to do so.

[sourcecode lang='as3']


 
  
 

[/sourcecode]

Next, I have to create following crossdomain.xml file:

[sourcecode lang='xml']

 
 
 

[/sourcecode]

The extended example in the conjunction with the above policy file protects this module from being used by the http://www.pron.com. When the module is created it simply calls home, policy file is returned and the module checks if the domain from which it is being used is allowed. Because http://www.pron.com is not on the list SecurityErrorEvent is fired and browser’s alert message pops up. Once the user clicks OK button he will be redirected to the module’s license. This is just a prototype but it should be quite solid.

I’ve created this code outside the IDE so it may have some bugs.

This approach should be very easy to apply in Silverlight as well.

This entry was posted on Friday, May 22nd, 2009 at 1:19 am and is filed under Adobe Flex/AIR, Silverlight/WPF. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.