Security.loadPolicyFile() Ignored … Not at all! (update)

I was about to publish an article about a bug in flash player, that loadPolicyFile() method fails when loading crossdomain policy files from a custom location (not domain root), but I soon realized that it is not a bug, but a feature :-).

It seems like flash player (WIN 10,1,50,426, debug) ignores crossdomain files loaded from a custom location. The documentation defines Security.loadPolicyFile() as a method to be used to download “cross-domain policy file from a location specified by the url parameter”, it does not work at all. Even the custom crossdomain.xml is requested (debuged with proxy software), the flash application somehow ignores it and tries to load crossdomain.xml file from a domain root. And if there is none on the domain root (why would it be, when you need to load custom one) all your loads results in security error.

After some investigation, I found out, that it is required to have a domain root crossdomain file that allows handling with cross-domain files located besides domain root via site-control element. Long story short, cross-domain security is an alchemy and one should read the whole specification. Long story even shorter, if you have no access to domain root (and there is no required crossdomain file with allow-access-from or site-control), you are doomed (flash application will not let you handle file contents from the location) … please read the update part (not doomed at all)! Lets have a quick look at scenario with the site-control on domain root and allow-access-from on custom location:

domain root (e.g. yoz.sk):

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all" />
</cross-domain-policy>

custom location (e.g. yoz.sk/somepath):

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
	<allow-access-from domain="*" />
</cross-domain-policy> 

Here is a proof of concept application that throws security error because of missing cross-domain file on domain root:

package
{
    import flash.display.Sprite;
    import flash.net.URLLoader;
    import flash.net.URLRequest;
    import flash.system.Security;
    
    public class WonderflApp extends Sprite
    {
        private var path:String = "http://bordel.yoz.sk/loadpolicyfile/";
        
        public function WonderflApp():void
        {
            Security.loadPolicyFile(path + "crossdomain.xml");
            
            var loader:URLLoader = new URLLoader();
            loader.load(new URLRequest(path + "text.txt"));
        }
    }
}

Security.loadPolicyFile() Ignored – wonderfl build flash online

Content-Type: text/x-cross-domain-policy

Update (Sep 17, 2010): The whole thing is even more complicated. In fact, you are able bypass flash player security just by sending correct header with your custom location crossdomain file. I mean:

.htaccess

RewriteEngine On
RewriteRule crossdomain.xml crossdomain.php [L]

crossdomain.xml on custom location (no domain root)

<?php
header("Content-Type: text/x-cross-domain-policy");
echo '<?xml version="1.0"?>';
?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
	<allow-access-from domain="*" />
	<site-control permitted-cross-domain-policies="by-content-type" />
</cross-domain-policy>

With this header sent, the application security is not vialated even without domain root crossdomain file. More about it here. Credits goes to mash (@maaash), thank you.

Where to go from here:

Leave a comment

Please be polite and on topic. Your e-mail will never be published.