`

Flex跨域问题

    博客分类:
  • Flex
阅读更多

From ESRI:

 

 The client browser will then download the SWF file. After this point, the user might not connect back to this Web server at all but rather directly to the servers containing map content and tasks. Note that if your web application is not hosted on the same server as the ArcGIS Server, you will have to have a crossdomain.xml on the ArcGIS Server.

About crossdomain.xml

To access data from a different server than the one hosting your Flex application, the remote server needs to have a cross-domain file in the root directory. For security reasons, the Web browser cannot access data that resides outside the exact Web domain where the SWF file originated. However, Adobe Flash Player can load data across domains if permission is granted from the server. This is accomplished by including a small crossdomain.xml file on the remote server that permits Flash to connect to services on that server. For instance:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
    <site-control permitted-cross-domain-policies="all"/>
    <allow-access-from domain="*"/>
</cross-domain-policy>

For additional information, read Using cross-domain policy files in the Adobe Flex 3 Help, see the Adobe TechNote "External data not accessible outside a Macromedia Flash movie's domain," or view a sample cross-domain file.

Deploying crossdomain.xml

To deploy the cross-domain file on ArcGIS Server, see the instructions specific to your platform.

  • .NET
    Add crossdomain.xml to your Web server root directory, for example, C:\inetpub\wwwroot.
  • Java
    Add crossdomain.xml to <ArcGIS_Server_Install_Location>\ArcGIS\java\web_output, for example, C:\Program Files\ArcGIS\java\web_output.

 

From Adobe:

 

 http://livedocs.adobe.com/flex/3/html/help.html?content=security2_04.html#139879

Loading assets

<!--googleoff: index--><!-- END PAGE TITLE --><!-- BEGIN CONTENT WRAPPER -->

<!--googleon: index-->

Update 4/30/2008:
NOTE: Flash Player 9.0.124 includes updates that affect the use of crossdomain policy files. For more information, see the Policy file changes in Flash Player 9 article in the Adobe Developer Connection.

The most common task that developers perform that requires an understanding of security is loading external assets.

Data compared to content

The Flash Player security model makes a distinction between loading content and accessing or loading data. Content is defined as media: visual media that Flash Player can display, such as audio, video, or a SWF file that includes displayed media. Data is defined as something that you can manipulate only with ActionScript code.

You can load data in one of two ways: by extracting data from loaded media content, or by directly loading data from an external file (such as an XML file) or socket connection. You can extract data from loaded media by using the BitmapData.draw() method, the Sound.id3 property, or the SoundMixer.computeSpectrum() method. You can load data by using classes such as the SWFLoader, URLStream, URLLoader, Socket, and XMLSocket classes.

The Flash Player security model defines different rules for loading content and accessing data. Loading content has fewer restrictions than accessing data. In general, content such as SWF files, bitmaps, MP3 files, and videos can be loaded from anywhere, but if the content is from a domain other than that of the loading SWF file, it will be partitioned in a separate security sandbox.

Loading remote assets

Loading remote or network assets relies on three factors:

  • Type of asset. If the target asset is a content asset, such as an image file, you do not need any specific permissions from the target domain to load its assets into your Flex application. If the target asset is a data asset, such as an XML file, you must have the target domain's permission to access this asset. For more information on the types of assets, see Data compared to content.
  • Target domain. If you are loading data assets from a different domain, the target domain must provide a crossdomain.xml policy file. This file contains a list of URLs and URL patterns that it allows access from. The calling domain must match one of the URLs or URL patterns in that list. For more information about the crossdomain.xml file, see Using cross-domain policy files. If the target asset is a SWF file, you can also provide permissions by calling the loadPolicyFile() method and loading an alternative policy file inside that target SWF file. For more information, see Using cross-domain policy files.
  • Loading SWF file's sandbox. To load an asset from a network address, you must ensure that your SWF file is in either the remote or local-with-networking sandbox. To ensure that a SWF file can load assets over the network, you must set the use-network compiler option to true when you compile the Flex application. This is the default. If the application was loaded from the local file system with use-network set to false, the application is put in the local-with-filesystem sandbox and it cannot load remote SWF files.

Loading assets from a remote location that you do not control can potentially expose your users to risks. For example, the remote website B contains a SWF file that is loaded by your website A. This SWF file normally displays an advertisement. However, if website B is compromised and its SWF file is replaced with one that asks for a username and password, some users might disclose their login information. To prevent data submission, the loader has a property called allowNetworking with a default value of never.

Using cross-domain policy files

To make data available to SWF files in different domains, use a cross-domain policy file. A cross-domain policy file is an XML file that provides a way for the server to indicate that its data and documents are available to SWF files served from other domains. Any SWF file that is served from a domain that the server's policy file specifies is permitted to access data or assets from that server.

When a Flash document attempts to access data from another domain, Flash Player attempts to load a policy file from that domain. If the domain of the Flash document that is attempting to access the data is included in the policy file, the data is automatically accessible.

The default policy file is named crossdomain.xml and resides at the root directory of the server that is serving the data. The following example policy file permits access to Flash documents that originate from foo.com, friendOfFoo.com, *.foo.com, and 105.216.0.40:

<?xml version="1.0"?>
<!-- http://www.foo.com/crossdomain.xml -->
<cross-domain-policy>
    <allow-access-from domain="www.friendOfFoo.com"/>
    <allow-access-from domain="*.foo.com"/>
    <allow-access-from domain="105.216.0.40"/>
</cross-domain-policy>

You can also configure ports in the crossdomain.xml file. For more information about crossdomain.xml policy files, see Programming ActionScript 3.0.

You can use the loadPolicyFile() method to access a nondefault policy file.

<!--googleoff: index-->
分享到:
评论

相关推荐

    flex跨域访问问题

    综上所述,解决Flex跨域访问问题的关键在于理解同源策略,合理利用CORS、策略文件或代理服务,并在服务器端和客户端进行相应的配置。正确配置后,Flex应用就能安全地跨域获取和发送数据了。在实际项目中,应根据具体...

    flex 跨域访问文件

    flex 跨域访问文件,安全沙相问题,很有用的,放在iis里就行了

    weblogic跨域flex

    Flex跨域问题的解决方案主要涉及两个步骤: 1. **创建跨域策略文件**: 创建一个XML文件,例如`crossdomain.xml`,并将其放置在WebLogic服务器的根目录下。这个文件定义了哪些来源(domains)的请求被允许访问...

    flex跨域上传

    flex跨域上传,需nginx,tomcat host: 127.0.0.1 test1.zwh.com 127.0.0.1 test2.zwh.com nginx: client_max_body_size 2048m; server { listen 80; server_name test2.zwh.com; location / { proxy_set_...

    Flex3.0跨域调用webservice

    eclipse环境下集成flex之后调用webservice的相关资源

    tomcat跨域解决方案

    当客户端尝试访问由Tomcat服务器托管的应用程序时,如果客户端所在的域名与Tomcat服务器的域名不一致,则可能会遇到跨域问题。为了解决这类问题,本文将介绍如何通过编写`crossDomain.xml`文件来实现跨域访问。 ###...

    lex for arcgis java tomcat环境不能跨域问题 (安全沙箱问题2048

    总的来说,解决Flex for ArcGIS在Java Tomcat环境下的跨域问题,主要涉及理解浏览器的同源策略,正确配置`crossdomain.xml`文件,并确保服务器重启以使更改生效。对于开发和测试环境,广泛接受的权限设置可能是合适...

    Flex3.0跨域调用webservice(part3)

    eclipse和flex集成环境下的

    Flex3.0跨域调用webservice(part2)

    eclipse和flex集成环境下的

    ArcGIS API for Flex开发WebGIS中的安全沙箱问题

    解决ArcGIS API for Flex的跨域问题通常涉及以下步骤: 1. **配置crossdomain.xml**:在服务器根目录下创建一个crossdomain.xml文件,明确允许哪些域可以访问你的GIS服务。例如,如果你的GIS服务位于`example.com`...

    FLEX常见问题总汇

    16. **跨域访问**:为了解决Flex的安全限制,你需要在服务器上放置一个`crossdomain.xml`文件,以允许Flex应用访问你的资源。 以上解答了Flex编程中的一些常见问题,希望能对你的开发工作有所帮助。在实际使用中,...

    flex 沙箱安全问题

    4. **使用Flex SDK工具**:可以利用Flex SDK中的工具来帮助诊断和解决跨域问题,例如使用`mx.managers.SecurityManager.checkPolicyFile()`函数检查crossdomain.xml文件的有效性。 5. **调试模式**:启用Flash ...

    Flex 安全沙箱问题 简单处理方法

    Flex安全沙箱问题是一个在开发基于...总的来说,解决Flex安全沙箱问题需要深入理解沙箱机制、跨域策略和`crossdomain.xml`文件的配置,同时关注服务器端的实现细节,以确保应用程序既能正常运行,又能保障用户的安全。

    flex 嵌入完美Iframe

    2. 处理跨域问题:由于安全限制,如果HTML页面不在同一域下,需要设置跨域策略文件以允许Flex加载内容。这通常意味着在服务器上放置一个crossdomain.xml文件,声明允许哪些源进行访问。 3. 监听加载事件:使用...

    Java和Flex交互常见问题及解决

    ### Java与Flex交互中的常见问题及其解决方案 在Java与Flex技术进行交互的过程中,经常会遇到一些典型的问题,这些问题可能涉及到安全性、数据传输格式以及字符编码等方面。本文将详细探讨以下几个方面: 1. **...

    Flex经典资料积累

    11. **Flex程序发布**:发布Flex应用涉及到编译、打包和部署的流程,可能涵盖SWF的生成、跨域策略文件、部署到Web服务器等内容。 12. **嵌入Google地图**:在Flex应用中集成Google Maps API,可以创建交互式地图...

    flex (eclipse)开发配置手册

    开发者需要了解如何处理跨域问题,以及如何使用Flash Player或HTML5的Embed标签来加载SWF文件。 "flex_java_clenit"可能是关于Flex客户端的配置或开发,这部分内容可能涵盖ActionScript编程、MXML布局、事件处理、...

    flex 和 js 交互

    1. **跨域策略文件**:由于Flash Player的安全限制,Flex应用在与JavaScript交互前需要加载一个跨域策略文件,允许它与不同源的JavaScript进行通信。这个文件通常命名为crossdomain.xml,放置在服务器的根目录下。 ...

    C#与flex交互

    在实际开发中,需要注意错误处理和性能优化,例如,确保调用方法的参数类型匹配,防止跨域安全问题,以及合理使用异步调用来避免阻塞UI线程。 以上就是关于C#与Flex交互的详细步骤和知识点,理解并掌握这些内容,...

Global site tag (gtag.js) - Google Analytics