jump to navigation

How to Create a crossdomain.xml file July 30, 2010

Posted by Tournas Dimitrios in Actionscript.

This brief tutorial will teach you how to create a crossdomain.xml file so that you can access files and information from outside domains and load files and data within your Flash / Flex apps. It is as simple as 4 easy steps.

  1. Create an xml file named crossdomain.xml. (XML can be created with Dreamweaver or just simply MS Notepad. Just make sure that you give it the ‘.xml ‘ extension on the end.)
  2. Copy and paste one of the code examples below into the XML file:
  3. Save the file.
  4. FTP / upload the file to the root directory of your website. (you should be able to see the file in a browser by typing the url www.yourwebsite.com/crossdomain.xml).

XML Code 1:

This is a typical crossdomain.xml file. Notice that I included my domain as well as my domain without the ‘www’ in front.

<!--l version="1.0--><!--CTYPE cross-domain-policySYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dt-->
<allow-access-from domain="www.somedomain.com" />
<allow-access-from domain="somedomain.com" />

XML Code 2:

The follwing Code will allow all domains. This effectively eliminates any security that Flash would have otherwise had. I suggest that you don’t use this example unless you enjoy security holes.

<!--l version="1.0-->
<!--pan class="hiddenSpellError" pre=-->DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<allow-access-from domain="*" />

XML Code 3:

The block of code below will explicitly disallow any and all access from any outside domain. As well, any domain that is not spelled exactly how the host domain is spelled will be blocked. This is the tighest cross domain security that you can employee.

<?xml version="1.0"?>
<!--pan class="hiddenSpellError" pre=-->DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
XML Code 4:

The code below illustrates different uses of the ‘*’ wildcard symbol. This is the crossdomain.xml file from Amazon.com The wildcard allows for any variation before ‘.amazon.com’. Amazon does this because of the public services and APIs that it allows others to connect to.

<allow-access-from domain="*.amazon.com"/>
<allow-access-from domain="amazon.com"/>
<allow-access-from domain="www.amazon.com"/>
<allow-access-from domain="pre-prod.amazon.com"/>
<allow-access-from domain="devo.amazon.com"/>
<allow-access-from domain="images.amazon.com"/>
<allow-access-from domain="anon.amazon.speedera.net"/>
<allow-access-from domain="*.amazon.ca"/>
<allow-access-from domain="*.amazon.de"/>
<allow-access-from domain="*.amazon.fr"/>
<allow-access-from domain="*.amazon.jp"/>
<allow-access-from domain="*.amazon.co.jp"/>
<allow-access-from domain="*.amazon.uk"/>
<allow-access-from domain="*.amazon.co.uk"/>

Creating a cross domain policy file is just that easy.

And Happy Flashing

I highly suggest that you read one or all of the following articles on cross domain policy files and the Flash Player security sandbox,


1. Security error accessing Flash content from other domain « Tournas Dimitrios - July 30, 2010

[…]  Add a cross domain policy file on the domain you are calling. Your swf can access resources on other domains if the other domain grants your permission. They do this through a cross-domain file. This is a simple xml file on the other domain (yes, they have to set it up) that says what domains can access what content. Some sites already have cross-domain policy files setup. Here is an example. More info here >>>- […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s