Flash Security Policy guidelines

Document last update Feb 19th, 2008

» Introduction:

The Flash Player comes with an integrated mechanism (the "Security Sandbox") that protects the user from possible malicious code inside the SWF file. The sandbox restricts the access only to those resources available in the same domain where the SWF file was loaded from.
While this is a great protection system to avoid unwanted file/network accesses, it can also be a show-stopper for applications that need to obtain different resources from different locations (local media, remote media, remote socket connections, remote web pages).

The Flash Player provides configurable policy-files that can be served in multiple ways to enable the access to external resources. In this document we provide a number of recommended procedures to enable SmartFoxServer client applications successfully work with these security restrictions.

NOTE: The following guidelines apply to all SWF files running in a web page or in the standalone Flash Player.
When running in the Flash IDE or in a projector the sandbox restrictions do not apply.

» How the security model works:

There are a lot of articles and documents directly from Adobe that discuss this topic in detail.
Instead of repeating the same things in this page we recommend checking the original resources in the list below.
If you're completely new to this topic we suggest reading at least the first three articles to get started:

• Adobe's Flash Player Security Basics
  ( A brief introduction to the Flash Player Security )
• SmartFoxServer documentation about Flash Player security
  ( Several advices for loading the cross-domain policy file )
• Adobe Security and Privacy f.a.q
  ( A brief f.a.q about managing privacy in the Flash Player )
• Adobe Flash Player Settings Manager
  ( The main page from where you can tweak the Flash Player settings )
• Senocular's Flash Player Security Basics
  ( Another interesting article on security settings and cross-domain issues )
• Security Changes in Flash Player 9
  ( A long document introducing all the security changes in Flash Player 9 update 3 )

» SmartFoxServer connection guidelines:

• Enable the cross-domain policy delivery via socket:
  In the config.xml file you can enable the server to send a custom cross-domain policy file to each client.
  Make sure that this line is present in your configuration file:
  

  <AutoSendPolicyFile>true</AutoSendPolicyFile> 
  

  More details about the policy configuration are found at chapter 2.1 of the documentation.


• Include your own domain in the policy file:
  If you are allowing a specific external domain in the cross-domain policy, include also your own domain.
  Example:
  
  • Game server » mycoolgames.net
  • Socket server » socketserver.net
  
  In this case the policy should look like this:

  <cross-domain-policy>
  	<allow-access-from domain='*.mycoolgames.net' to-ports='9339' />
  	<allow-access-from domain='*.socketserver.net' to-ports='9339' />
  </cross-domain-policy>
  



• Always load the socket policy file from the client side:
  this should always be done before establishing a socket connection.
  Example:
  
  ActionScript 2.0:
  

  	System.security.loadPolicyFile("xmlsocket://socketserver.net:9339")
  

  ActionScript 3.0:
  

  	Security.loadPolicyFile("xmlsocket://socketserver.net:9339")
  



• Always use the same exact domain:
  domain names and IP addresses are not interchangeable for the Flash Player sandbox.
  Example:
  
  If your game SWF is located at www.mycoolgames.net/game.swf and the server IP address is 10.20.30.40 you should connect the socket server by pointing at mycoolgames.net, not 10.20.30.40.
  This is because the domain name and it's IP address are not the same thing under the Flash Player security sandbox. If you need to use the IP address you will need to allow it explicitly in the policy file.


• Local vs Network Access:
  When publishing a SWF file you can choose between two different sandboxes: local-with-filesystem or local-with-networking. The setting is found under the Publish Settings window in Flash and it allows you to either access local files but not the network, or access the network but not the local files.
  For more details on these settings you can read this article.


• Master Socket Policy:
  From version 9,0,115,0 Adobe has introduced new restrictions in the socket policy loading: if you want to serve a master-socket-policy-file via a socket server you can only do it on TCP port 843.
  Solution: SmartFoxServer can serve policy files individually to each client on the current server port, so you can avoid this problem.
  If for any specific reason you need to serve a master-socket-policy-file to your clients we provide a simple Policy Server that can be run on your system for this specific task.
  
  » Learn more about master socket policy files
  » Download the Policy Server


• SmartFoxServer embedded web-server and BlueBox:
  Serving files from the SFS embedded web-server is not different from doing it on any other web-server. By default we provide a crossdomain.xml file in the root/ folder that you can edit according to your needs. All connections done through the BlueBox will also depend on the settings found in this file.