We ran into a similar situation with having the crossdomain.xml policy
file in a subdirectory of a site.

The phase 3 change that went into affect with FP10.02 requires the root
directory of the site to have a meta policy file (policy file for policy
files) that allows for the use of policy files in subdirectories. If it
is missing then the site-control permitted-cross-domain-policies
defaults to "master only", causing all other policy files to fail
security check.

Therefore, the crossdomain.xml meta policy file placed in the root
directory will have the following:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd
<http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd> ">
<cross-domain-policy>
<!-- The crossdomain meta policy file must be copied to the root of
your site -->
    <!-- Allow subsite policy files -->
    <site-control permitted-cross-domain-policies="all"/>
</cross-domain-policy>

Then the subdirectory policy files will look something like the
following:

<?xml version="1.0"?>
  <!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd
<http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd> ">
  <cross-domain-policy>
    <allow-access-from domain="YourDomainHere" to-ports="80" />
    <!--above is best practice OR
    <allow-access-from domain="*" />-->

    <allow-http-request-headers-from domain="YourDomainHere"
headers="*" />
    <!--above is best practice  OR
    <allow-http-request-headers-from domain="*" headers="*" />-->
  </cross-domain-policy>

The important part is having the meta policy file in the root directory.

Hope this helps,
CJ

Reply via email to