Community

crossdomain.xml in a different directory

2754
1
05-12-2010 10:57 AM
ScottNoldy
by
New Contributor III
‎05-12-2010 10:57 AM
I'm the server admin, not the developer.  I've had a developer request I put the crossdomain.xml file on my ArcGIS server according to ESRI's instructions so he can access our services via FLEX.
For security reasons, I will not put this in the root of the web server.
Adobe's documentation says it can be placed in individual virtual directories (IIS). 
Am I correct in assuming ESRI's implementation of this requires it to be in the root of the server?

If so, why?  What possible reason could there be for exposing an entire site?
Tags (2)
0 Kudos
1 Reply
DasaPaddock
by Esri Regular Contributor
Esri Regular Contributor
‎05-12-2010 01:44 PM
It is not required to be in the root of the web server. That's just where it looks for it by default. When the app initializes, the developer can make a call to Security.loadPolicyFile().

See:
http://livedocs.adobe.com/flex/3/langref/flash/system/Security.html#loadPolicyFile()

You'll still need to have a small crossdomain.xml file in the root of the web server that says it's OK to use policy files from other places on your server. This is called the master policy file. It would look like this:

<?xml version="1.0"?> 
<!DOCTYPE cross-domain-policy SYSTEM 
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> 
<cross-domain-policy> 
   <site-control permitted-cross-domain-policies="all"/> 
</cross-domain-policy>


You can get more info on this at (page 7 and 11 of the pdf):
http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html
0 Kudos