Security changes in Flash Player 9.0.124.0

The latest security update to Adobe Flash player now makes it compulsory to have a socket policy file even if the application and the server are on the exact same domain. According to Adobe a crossdomain.xml file will no longer apply to socket requests, instead a separate socket policy file needs to be provided to the application. By default the application will first look for the policy file on port 843 and then on the port that the application is trying to open a socket to (the mud port in this case).

The following is the policy file that is used for the FMud demo server.

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only"/>
   <allow-access-from domain="bc-dev.net" to-ports="4000" />
</cross-domain-policy>

The FMud package has been updated to include a sample policy.xml file as well as a python script that will serve this file.

Use the following command to start the server.

./flashpolicyd.py --file=/path/to/flashpolicy.xml --port=843

Remember to allow a TCP server on port 843 in your server firewall.

Further details on the new security model can be found on the Adobe website. There are also more details on serving policy files as well as some more server scripts for download.

This entry was posted on May 14th, 2008 and is filed under FMud. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response or Trackback from your own site.