Posted March 20, 2008 by senocular
- The HTML parameter
allowScriptAccessnow defaults to
sameDomainfor ALL SWFs, not just SWFs published to version 8 and above (ho-hum)
- Custom headers provided by ActionScript now require explicit permission from a cross-domain policy file in order for the request to be sent to another domain (yikes)
- ALL socket connections (even same-domain) require socket-based policy files to successfully maintain a connection (yowza!)
The socket change is the big one. It could require socket servers to be updated if they weren't written to work with socket-based policy files.
For more information see Preparing for the Flash Player 9 April 2008 Security Update
But wait! That's not all. I can imagine most of you have not read the Security changes in Flash Player 9 article in the Adobe developer center. If you have, you may have noticed yet another cross-domain policy file change that we can expect in the future. That change involves what are known as meta-policies, or a policy for policy files. Though the introduction of meta-policies came with version 9,0,115,0 of the Flash Player (the current version at the time of this writing), what will happen in a later release of the player is that these meta-policies will become more strict and default to prevent any policy file from being valid unless your master policy file (crossdomain.xml in the root of the domain) explicitly specifies a meta-policy to determine otherwise. More information on this can be found on the page of the security article covering meta-polcies.
Since you'll already be updating your cross-domain policy files for the header change, you might as well update your master policy file with the appropriate meta-policy as well. The following example shows a very permissive (not recommended) policy file with the necessary meta-policy and header definition.
<!DOCTYPE cross-domain-policy SYSTEM
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*"/>
Please SPREAD THE WORD to your fellow developers. Don't let the wrath of this security update reach the users. That could be damaging to the reputation of the Flash Player :)