JW Player 5 for Flash

  1. Overview
  2. All Flashvars
  3. Supported Formats
  4. Crossdomain Security
     
  5. API Calls
  6. Events Overview
     
  7. All Skin Elements
     
  8. Building Plugins
  9. Compiling Plugins
     
  10. Version 4.x Documentation

JW Player: Crossdomain Security

The Adobe Flash Player contains a crossdomain security mechanism that denies certain operations on files that are loaded from a different domain than the player.swf. Roughly, three operations are denied:

Generally, file loads (playlists or captions) will fail if there's no crossdomain access. Data manipulations (ID3, waveform, smoothing) will abort. Crossdomain security restrictions can be lifted by either hosting a crossdomain.xml on the server that contains the files or by using a serverside proxy.

Crossdomain XML

The easiest and best way to access 3rd party data is for the provider of that data to host a crossdomain.xml configuration file in its web root. Before the Flash Player attempts to load data from any site other than the one hosting the SWF, it first checks the remote site for the existence of a crossdomain.xml. If the player finds it, and if the configuration permits external access of its data, then the data is loaded. Otherwise, a runtime security error is thrown. Here’s an example of a crossdomain.xml that allows access to the domain's data from SWF files on any site: 

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
    <allow-access-from domain="*" />
</cross-domain-policy>

Our plugins.longtailvideo.com domain includes such a crossdomain file, so players from any domain cal load the plugins hosted there.

Although plugins will reside on plugins.longtailvideo.com (or another plugin root you set), the crossdomain.xml file needs to allow data access from the site hosting the player itself, not the plugin. For example, if the player is hosted at www.site.com/player.swf and tries to access data from www.data.com, even if data.coms' crossdomain.xml file allows access to plugins.longtailvideo.com, the Flash player will throw a security exception.

Using a proxy

If the site from which you’d like to pull data does not host a crossdomain.xml policy file, you can still give users access to that data by hosting a proxy on your web server. A proxy is a simple program that tunnels all external data through your server. Yahoo has some more info on proxies and a PHP proxy example.

When you host the proxy for players that are on other sites (e.g. in case of a plugin), your site in turn needs to include a permissive crossdomain.xml policy file.

Local playback

When embedding the player in a locally served page or SWF (not on a http:// server), the following restrictions apply:

  • Javascript interaction will NOT work.
  • Any files loaded from the web will NOT play.