By default, the runtime looks for a
socket policy file served from port 843. As with URL policy files,
this file is called the master policy file.
When policy files were first introduced in Flash Player 6, there
was no support for socket policy files. Connections to socket servers
were authorized by a policy file in the default location on an HTTP
server on port 80 of the same host as the socket server. Flash Player
9 still supports this capability, but Flash Player 10 does not.
In Flash Player 10, only socket policy files can authorize socket
Like URL policy files, socket policy files support a meta-policy
statement that specifies which ports can serve policy files. However,
instead of “master-only,” the default meta-policy for socket policy
files is “all.” That is, unless the master policy file specifies
a more restrictive setting, Flash Player assumes that any socket
on the host can serve a socket policy file.
to socket and XML socket connections is disabled by default, even
if the socket you are connecting to is in the same domain as the
SWF file. You can permit socket-level access by serving a socket
policy file from any of the following locations:
Port 843 (the location of the master policy file)
The same port as the main socket connection
A different port than the main socket connection
By default, Flash Player looks for a socket policy file on port
843 and on the same port as the main socket connection. If you want
to serve a socket policy file from a different port, the SWF file
must call Security.loadPolicyFile().
A socket policy file has the same syntax as a URL policy file,
except that it must also specify the ports to which it grants access.
When a socket policy file is served from a port number below 1024,
it may grant access to any ports; when a policy file comes from
port 1024 or higher, it may grant access only to ports 1024 and higher.
The allowed ports are specified in a to-ports attribute
in the <allow-access-from> tag. Single port
numbers, port ranges, and wildcards are accepted values.
Here is an example socket policy file:
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for xmlsocket://socks.mysite.com -->
<allow-access-from domain="*" to-ports="507" />
<allow-access-from domain="*.example.com" to-ports="507,516" />
<allow-access-from domain="*.example.org" to-ports="516-523" />
<allow-access-from domain="adobe.com" to-ports="507,516-523" />
<allow-access-from domain="184.108.40.206" to-ports="*" />
To retrieve a socket policy file from port 843 or from the same
port as a main socket connection, call the Socket.connect() or XMLSocket.connect() method.
Flash Player first checks for a master policy file on port 843.
If it finds one, it checks to see if the file contains a meta-policy statement
that prohibits socket policy files on the target port. If access
isn’t prohibited, Flash Player first looks for the appropriate allow-access-from statement
in the master policy file. If it doesn’t find one, it then looks
for a socket policy file on the same port as the main socket connection.
To retrieve a socket policy file a different location, first
call the Security.loadPolicyFile() method with
the special "xmlsocket" syntax, as in the following:
Call the Security.loadPolicyFile() method before
calling the Socket.connect() or XMLSocket.connect() method.
Flash Player then waits until it has fulfilled your policy file
request before deciding whether to allow your main connection. However,
if the master policy file specifies that the target location can’t
serve policy files, the call to loadPolicyFile() has
no effect, even if there is a policy file at that location.
If you are implementing a socket server and you need to provide
a socket policy file, decide whether to provide the policy file
using the same port that accepts main connections, or using a different
port. In either case, your server must wait for the first transmission
from your client before sending a response.
When Flash Player requests a policy file, it always transmits
the following string as soon as a connection is established:
Once the server receives this string, it can transmit the policy
file. The request from Flash Player is always terminated by a null
byte, and the response from the server must also be terminated by
a null byte.
Do not expect to reuse the same connection for both a policy
file request and a main connection; close the connection after transmitting
the policy file. If you do not, Flash Player closes the policy file
connection before reconnecting to set up the main connection.