| unity |
Unity Technote 00005: Introduction to Flash Player Socket Policy Files
A socket policy file is an XML-formatted text file that authorizes or denies socket connections from Flash Player. Policy files are sent to Flash Player upon request by custom socket-server software sometimes referred to as a policy file server. Each socket policy file provides:
For example, if the policy file shown in Example 1 were served from example.com, it would grant any .swf hosted on any subdomain of example.com permission to connect to example.com over ports 9100 and 9101.
Example 1. A typical socket policy file
<cross-domain-policy>
<allow-access-from domain="*.example.com" to-ports="9100,9101" />
</cross-domain-policy>
Policy files can also authorize socket connections made by .swf files from multiple hosts. The policy file shown in Example 2 grants any .swf file hosted on any subdomain of example.com or moock.org permission to connect to example.com over ports 9100 and 9101.
Example 2. Authorizing multiple hosts
<cross-domain-policy>
<allow-access-from domain="*.example.com" to-ports="9100,9101" />
<allow-access-from domain="*.moock.org" to-ports="9100,9101" />
</cross-domain-policy>
In the preceding example, notice that each authorized host must be listed in a separate <allow-access-from> tag.
Socket master policy files versus regular socket policy files
Flash Player recognizes two different types of socket policy files: socket master policy files and regular socket policy files. Any socket policy file served over port 843 is considered a socket master policy file. Any socket policy file served over any port other than 843 is considered a regular socket policy file. Both types of policy files share the syntax shown in Example 1. Additionally, socket master policy files can use the <site-control> tag to authorize or restrict the use of regular socket policy files.
Example 2 shows a socket master policy file that allows the same socket connections as Example 1, but also uses the <site-control> tag to stipulate that Flash Player should obey the master's rules only. As a result, all other regular socket policy files on the same host as the master are ignored.
Example 2. A typical socket master policy file
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"/>
<allow-access-from domain="*.example.com" to-ports="9100,9101" />
</cross-domain-policy>
Socket policy file retrieval
In Flash Player 9.0.124.0 and later, socket policy files are mandatory. That is, ActionScript code cannot open a socket connection to a server unless that server has previously sent a policy file to Flash Player that explicitly authorizes the connection.
Policy files can be retrieved manually or automatically. To retrieve a socket policy file manually, ActionScript programmers must use eitherSystem.security.loadPolicyFile() (ActionScript 2.0) or flash.system.Security.loadPolicyFile() (ActionScript 3.0). Unity client developers can request a policy file via a client configuration file (see instructions), or via UClient.setServer().
To retrieve a socket policy file automatically, a client application can simply attempt to make a socket connection without first explicitly requesting a socket policy file. In response to the connection request, Flash Player will automatically attempt to retrieve the host's socket master policy file over port 843. If no such policy file exists, Flash Player will then automatically attempt to retrieve a policy file over the same port as the main connection. If the main connection's port does not respond with a policy file, the connection fails.
For information on serving and retrieving policy files with Unity, see Technote 00001: Policy Files Now Mandatory.
Revision history
April 5, 2008: Posted
October 23, 2008: Fixed a minor error under "Socket policy file retrieval"