blog.log2e.com » Security http://blog.log2e.com Tutorials and Code Snippets Mon, 01 Jun 2009 13:05:31 +0000 en hourly 1 http://wordpress.org/?v=3.0.1 When a Cross-Domain Policy File is not Enough http://blog.log2e.com/2008/08/15/when-a-cross-domain-policy-file-is-not-enough/ http://blog.log2e.com/2008/08/15/when-a-cross-domain-policy-file-is-not-enough/#comments Fri, 15 Aug 2008 13:03:25 +0000 Stefan Schmalhaus http://blog.log2e.com/?p=87 This post is a reminder to myself (and a source of help to anyone who may need it). For a long time I thought a cross-domain policy file in a web server’s root directory solves all cross-domain security issues automagically – until I stumbled over the fact that I wasn’t able to manipulate the bitmap data of an image that was loaded from outside my SWF file’s domain.

Let’s say you want to load a PNG file from “my.domain.com” into a SWF file on “your.domain.com”. Let’s also assume you have provided a “crossdomain.xml” file on “my.domain.com” that grants access to “your.domain.com”. As long as you only add an instance of the flash.display.Loader class to the display list everything is fine. But what if you, for example, want to access the bitmap data inside the loader object? In my case, I just wanted to set the smoothing property of the Bitmap object to true before resizing the image. So I tried this:

  1. package
  2. {
  3.    import flash.display.*;
  4.    import flash.events.*;
  5.    import flash.net.URLRequest;
  6.  
  7.    public class Main extends Sprite
  8.    {
  9.       public function Main():void
  10.       {
  11.          var loader:Loader = new Loader();
  12.          loader.contentLoaderInfo.addEventListener( Event.COMPLETE, onComplete );
  13.          loader.load( new URLRequest( "http://my.domain.com/image.png" ) );
  14.       }
  15.  
  16.       private function onComplete( event:Event ):void
  17.       {
  18.          var bitmap:Bitmap = event.target.loader.content as Bitmap;
  19.          bitmap.smoothing = true;
  20.          bitmap.width = bitmap.width / 2;
  21.          bitmap.height = bitmap.height / 2;
  22.          addChild( bitmap );
  23.       }
  24.    }
  25. }

This works fine inside the Flash CS3 IDE (or whatever IDE you use). I deployed the SWF file to a web server – and it failed. Why? Probably because I have missed to read this article, this blog post, and this blog post. And yes, I admittedly have never paid attention to the existence of the flash.system.LoaderContext class. But this class is all what we need here (forget all the PHP proxy hacks, folks!).

Create a LoaderContext object with checkPolicyFile set to true and add it to the flash.display.Loader‘s load() method!

  1. package
  2. {
  3.    import flash.display.*;
  4.    import flash.events.*;
  5.    import flash.net.URLRequest;
  6.    import flash.system.LoaderContext;
  7.  
  8.    public class Main extends Sprite
  9.    {
  10.       public function Main():void
  11.       {
  12.          var loaderContext:LoaderContext = new LoaderContext();
  13.          loaderContext.checkPolicyFile = true;
  14.  
  15.          var loader:Loader = new Loader();
  16.          loader.contentLoaderInfo.addEventListener( Event.COMPLETE, onComplete );
  17.          loader.load( new URLRequest( "http://my.domain.com/image.png" ), loaderContext );
  18.       }
  19.  
  20.       private function onComplete( event:Event ):void
  21.       {
  22.          var bitmap:Bitmap = event.target.loader.content as Bitmap;
  23.          bitmap.smoothing = true;
  24.          bitmap.width = bitmap.width / 2;
  25.          bitmap.height = bitmap.height / 2;
  26.          addChild( bitmap );
  27.       }
  28.    }
  29. }

It’s easy when you know it.

]]> http://blog.log2e.com/2008/08/15/when-a-cross-domain-policy-file-is-not-enough/feed/ 10