View Full Version : Is it just me or does Flash seem to bypass CrossDomain.xml? - UNRESOLVED

03-16-2008, 12:09 PM
OK well something weird is a foot, I just re-installed Windows and I'm trying to test a crossdomain.xml which sets what sites/domains/ip can access flvs or flash files. For some reason, I seem to be able to bypass crossdomain.xml and access flvs on another server regardless of whether the crossdomain.xml allows it or not. I've tried it in Firefox, IE and Opera - all seem to bypass it.

Is it just me or does Flash v9.0 (I have CS 3 installed) bypass crossdomain restrictions? Also can anyone give me a test site so that I can see if it's a problem on my end, or just a coincidence?

Hopefully you understand what I'm saying..I'm going out of mind trying to understand this.
Here's an example:

Using youtube as an example which has a set restrictive crossdomain.xml that includes only sites hosted on youtube to access flvs directly.

03-17-2008, 02:36 AM

03-17-2008, 01:38 PM
Sorry I haven't used flash across different domains yet. Have you tried using the similar System.security.allowDomain() and see if that allows you to bypass it too?

Ignore what I said. I just realized that you said its allowing all domains correct? What version of flash player or you publshing for? I think it has to be 6 and higher.

03-17-2008, 01:40 PM
The Youtube video never loaded on my end.

03-17-2008, 07:29 PM
sorry the video on youtube apparently doesn't work anymore, so the reason you didn't see wasn't because of the crossdomain but because the flv path was wrong.

I've since a video elsewhere, and fixed the example - I put a crossdomain.xml to only allow *.google.com to access the file.

Please try it now..and to everyone: please confirm if you can see the video or not.

03-18-2008, 05:57 AM
Yes the video loads. But something (concept wise) isn't right. I mean I thought, that you can load movies BUT those movies wouldn't be able to access your variables or actionscript. I was under the impression that the crossdomain.xml was to allow the developer to load variables or an XML file or something across different domains.

03-18-2008, 06:35 AM
according to Adobe crossdomain.xml is used for security restrictions, so to prevent sites from accessing actionscript,flvs, and yes variables probably as well..but it's clearly not working. On the remote server I set it only for *.google.com.

BTW what browser are you using? Firefox seems to ignore crossdomain.xml but IE usually adheres to it - but recently my IE is allowing everything - so I was just wondering if anyone can try it out in IE or any other non-Firefox browser.

03-19-2008, 01:15 PM
Yes, I'm sorry to have not informed you earlier. But I tried it using IE 6.0 as well as Firefox 2.0.12 I believe.

I know your crossdomain.xml has a wildcard on subdomains and I'm just randomly guessing but do you suppose since youtube is under the google's umbrella that its allowing youtube?

Actually, nevermind as they are two totally different domains. I just checked and noticed there is no http://youtube.google.com

03-20-2008, 08:52 AM
it's so weird, I can't figure out why this works? Crossdomain.xml is supposed to stop this, and I could swear it had in the past.