Crossdomain File Loading

This guide describes the cross-domain file loading (security) restrictions associated with the Adobe Flash plugin and JavaScript in HTML5 browsers/devices.

Crossdomain in Flash

The Adobe Flash Player contains a crossdomain security mechanism, similar to JavaScript’s Cross-Site Scripting restrictions. It impacts publishers using JW Player on Flash capable browsers and devices, denying to load the following files across from another domain:

  • RSS feeds
  • XML skins
  • VTT, SRT & DFXP files
  • M3U8 manifests & TS fragments
  • SMIL manifests

Crossdomain XML

Crossdomain security restrictions can be lifted by hosting a crossdomain.xml file on the server that contains the files. This crossdomain file must be placed in the root of your (sub)domain, for example:

http://www.myserver.com/crossdomain.xml
http://videos.myserver.com/crossdomain.xml

Before the Flash Player attempts to load XML files, SWF files or raw data from any domain other than the one hosting your player, it checks the remote site for the existence of such a crossdomain.xml file. If Flash finds it, and if the configuration permits external access of its data, then the data is loaded. If not, the operation will not be allowed.

Allow All Example

Here’s an example of a crossdomain.xml that allows access to the domain’s data from SWF files on any site:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

Note that this example sets your server wide open. Any SWF file can load any data from your site, which might lead to security issues.

Restrict Access Example

Here is another example crossdomain.xml, this time permitting Flash file access from only a number of domains:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*.domain1.com"/>
   <allow-access-from domain="www.domain2.com"/>
</cross-domain-policy>

Note the use of the wildcard symbol: any subdomain from domain1 can load data, whereas domain2 is restricted to only the www subdomain.

Crossdomain policy files can even further finegrain access, e.g. to certain ports or HTTP headers. For a detailed overview, see Adobe’s Crossdomain documentation.

Crossdomain in JavaScript

In JavaScript, a Cross-Site Scripting mechanism similar to that in Flash exists. It impacts publishers using JW Player on HTML5 capable browsers and devices, denying to load the following files from another domain:

  • RSS feeds
  • XML skins
  • VTT, SRT & DFXP files

Generally, these file loads will fail if there’s no crossdomain access. Most browsers will display an error in their debug console.

Cross-Origin Resource Sharing

Crossdomain access can be enabled in JavaScript with a mechanism similar to that in Flash. Instead of hosting a crossdomain.xml file, crossdomain access is enabled per file, through an additional HTTP response header (the CORS header). Here's what the header looks like:

Access-Control-Allow-Origin: *

Note that this example sets your file wide open. Any script from any site can load the file and do whatever it wants.

Restrict Access Example

Here is another example CORS header, this time permitting the JavaScript file from only a number of domains:

Access-Control-Allow-Origin: *.domain1.com www.domain2.com

Note the use of the wildcard symbol: any subdomain from domain1 can load data, whereas domain2 is restricted to only the www subdomain.

Options to limit protocols and ports can be added. See the enabled-cors.org site for more info. The site lists how to enable CORS headers for various popular webservers, frameworks and serverside languages.

Please sign in to leave your feedback for this article.

Still don't have JW Player? Get It Here