[[PlayerToc(flash)]] = JW Player: Crossdomain Security = The Adobe Flash Player contains a [http://www.adobe.com/devnet/flashplayer/security.html crossdomain security mechanism] that denies certain operations on files that are loaded from a different domain than the ''player.swf''. Roughly, three operations are denied: * Loading of data files (such as [wiki:FlashFormats playlists] or [wiki:PluginsCaptions captions]). * Loading of SWF files (such as [wiki:PluginsBuilding plugins] or [wiki:SkinningThePlayer skins]). * Accessing raw data of media files (such as [wiki:PluginsRevolt waveform data] or [wiki:PluginsSnapshot bitmap data]). Generally, file loads (playlists or captions) will fail if there's no crossdomain access. Data manipulations (ID3, waveform, smoothing) will abort. Crossdomain security restrictions can be lifted by either hosting a ''crossdomain.xml'' on the server that contains the files or by using a serverside ''proxy''. == Crossdomain XML == The easiest and best way to access 3rd party data is for the provider of that data to host a [http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html crossdomain.xml configuration file] in its web root. Before the Flash Player attempts to load data from any site other than the one hosting the SWF, it first checks the remote site for the existence of a ''crossdomain.xml''. If the player finds it, and if the configuration permits external access of its data, then the data is loaded. Otherwise, a runtime security error is thrown. Here’s an example of a ''crossdomain.xml'' that allows access to the domain's data from SWF files on any site: {{{ }}} Our ''plugins.longtailvideo.com'' domain includes such a crossdomain file, so players from any domain cal load the plugins hosted there. Although plugins will reside on ''plugins.longtailvideo.com'' (or another plugin root you set), the ''crossdomain.xml'' file needs to allow data access from the site hosting the player itself, not the plugin. For example, if the player is hosted at ''www.site.com/player.swf'' and tries to access data from ''www.data.com'', even if data.coms' ''crossdomain.xml'' file allows access to ''plugins.longtailvideo.com'', the Flash player will throw a security exception. == Using a proxy == If the site from which you’d like to pull data does not host a crossdomain.xml policy file, you can still give users access to that data by hosting a proxy on your web server. A proxy is a simple program that tunnels all external data through your server. Yahoo has [http://developer.yahoo.com/javascript/howto-proxy.html some more info on proxies] and [http://developer.yahoo.com/javascript/samples/proxy/php_proxy_simple.txt a PHP proxy example]. When you host the proxy for players that are on other sites (e.g. in case of a plugin), your site in turn needs to include a permissive ''crossdomain.xml'' policy file. == Local playback == When embedding the player in a locally served page or SWF (not on a http:// server), the following restrictions apply: * Javascript interaction will NOT work. * Any files loaded from the web will NOT play.