It is very easy to run into Flash's multiple mechanisms for security, be unaware of the failure, and wonder why your program does not work. Adobe's existing documentation on security is thinly spread out and somewhat unclear on the subject.
There are two forms of sandbox setting:
- One on the published SWF(which can be toggled in Haxe with -D options).
- One set by the user to allow/block specific files and sites. In Flash 9, SWFs that use the network should compile with "-D network-sandbox". Flash 10 will add additional rules to publish with local file access.
(Note: Even an swf with the localWithNetwork sandbox will be denied for access of web resources via http, unless a
flash.system.Security.allowDomain('*') call is issued, or the root of the accessed web server contains a file named
crossdomain.xml, with the following content:
<allow-access-from domain="*" />
However, I couldn't get it working without the crossdomain file.
For details and other options see:
Flash Player Security @ Adobe Livedocs
Overview of permission controls - website controls @ Adobe Livedocs
The Flash client will silently request XML-formatted policy files any time it decides that it needs permission to open a connection with a remote server. Several kinds of policy files exist: URL policy, socket policy, and master/meta-policy files, It has multiple mechanisms of doing so:
- HTTP request to "crossdomain.xml" on the remote server. This method is not sufficient for all situations in Flash 9, but will work with URLRequests.
- open TCP port 843, the official policy file port, and use the server's output as a socket policy file. This is Flash's preferred method and allows the use of meta-policy files.
- open the requested connection and wait for a socket policy file to be sent via TCP before continuing. Flash will send the string "<policy-file-request/>" when this happens, which hampers compatibility with existing socket servers.
Example: neko server serving policy files: Flash/Neko Chat Example
Unless you are using socket meta-policy files to indicate otherwise, Flash will refuse to connect on sockets below and up to 1024.
Here you can get more informations about Flash Player Security and Application Domains