«
»

When a Cross-Domain Policy File is not Enough

This post is a reminder to myself (and a source of help to anyone who may need it). For a long time I thought a cross-domain policy file in a web server’s root directory solves all cross-domain security issues automagically – until I stumbled over the fact that I wasn’t able to manipulate the bitmap data of an image that was loaded from outside my SWF file’s domain.

Let’s say you want to load a PNG file from “my.domain.com” into a SWF file on “your.domain.com”. Let’s also assume you have provided a “crossdomain.xml” file on “my.domain.com” that grants access to “your.domain.com”. As long as you only add an instance of the flash.display.Loader class to the display list everything is fine. But what if you, for example, want to access the bitmap data inside the loader object? In my case, I just wanted to set the smoothing property of the Bitmap object to true before resizing the image. So I tried this:

  1. package
  2. {
  3.    import flash.display.*;
  4.    import flash.events.*;
  5.    import flash.net.URLRequest;
  6.  
  7.    public class Main extends Sprite
  8.    {
  9.       public function Main():void
  10.       {
  11.          var loader:Loader = new Loader();
  12.          loader.contentLoaderInfo.addEventListener( Event.COMPLETE, onComplete );
  13.          loader.load( new URLRequest( "http://my.domain.com/image.png" ) );
  14.       }
  15.  
  16.       private function onComplete( event:Event ):void
  17.       {
  18.          var bitmap:Bitmap = event.target.loader.content as Bitmap;
  19.          bitmap.smoothing = true;
  20.          bitmap.width = bitmap.width / 2;
  21.          bitmap.height = bitmap.height / 2;
  22.          addChild( bitmap );
  23.       }
  24.    }
  25. }

This works fine inside the Flash CS3 IDE (or whatever IDE you use). I deployed the SWF file to a web server – and it failed. Why? Probably because I have missed to read this article, this blog post, and this blog post. And yes, I admittedly have never paid attention to the existence of the flash.system.LoaderContext class. But this class is all what we need here (forget all the PHP proxy hacks, folks!).

Create a LoaderContext object with checkPolicyFile set to true and add it to the flash.display.Loader’s load() method!

  1. package
  2. {
  3.    import flash.display.*;
  4.    import flash.events.*;
  5.    import flash.net.URLRequest;
  6.    import flash.system.LoaderContext;
  7.  
  8.    public class Main extends Sprite
  9.    {
  10.       public function Main():void
  11.       {
  12.          var loaderContext:LoaderContext = new LoaderContext();
  13.          loaderContext.checkPolicyFile = true;
  14.  
  15.          var loader:Loader = new Loader();
  16.          loader.contentLoaderInfo.addEventListener( Event.COMPLETE, onComplete );
  17.          loader.load( new URLRequest( "http://my.domain.com/image.png" ), loaderContext );
  18.       }
  19.  
  20.       private function onComplete( event:Event ):void
  21.       {
  22.          var bitmap:Bitmap = event.target.loader.content as Bitmap;
  23.          bitmap.smoothing = true;
  24.          bitmap.width = bitmap.width / 2;
  25.          bitmap.height = bitmap.height / 2;
  26.          addChild( bitmap );
  27.       }
  28.    }
  29. }

It’s easy when you know it.

Tags: , ,

This entry was posted on Friday, August 15th, 2008 at 3:03 pm and is filed under ActionScript, Flash. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

10 Responses to “When a Cross-Domain Policy File is not Enough”

  1. 101DoFollowBlogs says:
    September 11, 2008 at 6:02 pm

    I’ve heard some good things about this blog. Remember to balance the pics with the text tho. cheers!

  2. matt richkid says:
    September 13, 2008 at 9:15 pm

    Love your site it is very informative am going to research the other posts to see what else I can learn, cheers! and keep up the great work!

  3. James says:
    September 19, 2008 at 4:31 am

    Hi, I found your blog on this new directory of WordPress Blogs at blackhatbootcamp.com/listofwordpressblogs. I dont know how your blog came up, must have been a typo, i duno. Anyways, I just clicked it and here I am. Your blog looks good. Have a nice day. James.

  4. Eugene says:
    October 20, 2008 at 6:27 pm

    Nice article. Thanks. :) Eugene

  5. Cesar B. aka the Mover says:
    November 11, 2008 at 12:32 am

    I’ve heard some goody things about this blog. Remember to balance the pics with the text tho :) but over all very nice post, keep up the good work

  6. jkaris says:
    January 6, 2009 at 5:11 am

    Fantastic!

    This is exactly what I was looking for and it fixed the issue I was having – will have to put it on my blog and reference you!

    jkaris

  7. billy says:
    April 8, 2009 at 5:47 pm

    Thanks, you just saved my ass

  8. Random T. says:
    April 24, 2009 at 1:05 pm

    This is quite a hot information. I’ll share it on Delicious.

  9. sebastienk says:
    May 25, 2009 at 5:08 pm

    the bad things is when you don’t have control on the server where you get your picture and it hasn’t crossdomain… in this case LoaderContext can’t do anythings …

  10. lporiginalg says:
    November 20, 2009 at 6:51 am

    Hi thanks for the useful information. Do you have any info on this issue in regards to loading remote swf files rather than images? I’m trying to load remote swf files, and find out what the original stage dimensions were using ‘loader.content.loaderInfo.width;’ the crossdomain policy file is in place and I’ve specified to load it with your context code but it still doesn’t work. It works fine with swf files on the same domain tho. I’ve been struggling with this for 3 days now which is what brought me to your post, any info would be helpful. Thanks.

Leave a Reply