Flash Player 10 Requires Special Type of Policy File for Socket Connection

During the development of Flash Player 9 and 10, Adobe has made significant changes to their cross domain security. I've been doing some research on the changes Adobe has made over the last couple of days. This article describes the first major issue I've encountered with the new policy file requirements.

Policy files are used to allow SWFs on one domain (www.siteA.com), to access resources on another domain (www.siteB.com). They are the primary element of the permissions mechanism that the Flash Player uses to determine if a SWF file should have access to resources on a domain outside of the domain where the SWF is hosted. A policy file is a simple XML file that is typically placed at the root of a site (www.siteB.com/crossdomain.xml).

When Adobe made these changes to the Flash Player, modifications to this XML file were required in order for everything to work properly. This article describes the changes that they have made in more detail: Working with policy file changes in Flash Player 9 and Flash Player 10 beta.

For the most part, the changes that needed to be made were minor, but there are some changes that require a significant amount of restructuring. Specifically, socket connections now require a different approach.

Prior to Flash Player 9, the cross domain policy file could be sent over standard HTTP and it would allow access to a socket server on that domain. Adobe has now changed it so that the policy file MUST be sent by the same type of connection that it is requesting access for. It is somewhat confusing, but basically, a policy file for a socket connection must be sent BY a socket connection (and a policy file that grants access to an HTTP connection, must be sent BY an HTTP connection).

It took me a while to sift through all the various info on the web to come to this conclusion, so let me rephrase this and say it again. The player now REQUIRES socket connections to be authorized through a socket policy file. Policy files served over HTTP may no longer be used to authorize socket connections to that server.

Adobe has some recommendations on how to set this up. They suggest that network admins open up port 843 and set it up for the sole purpose of serving socket policy files. Tangent rant: Wow. That's going to annoy a few admins...who probably already hate Flash. Although, I generally agree with Adobe's approach, I think they'll have a hard time making that happen on a large scale. Most of the larger companies that I've worked with are hesitant to randomly open ports because a Flash developer said it needs to happen. They also provide examples of how to set up a socket policy file server.

Anyway, I'll likely be setting this up over the next few days, so I'll post updates if I learn anything new and useful.