I am at my wits end trying to get answer to a question.
According to http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_print.html
- A SWF file may no longer make a socket connection to its own domain without a socket policy file. Prior to version 9,0,115,0, a SWF file was permitted to make socket connections to ports 1024 or greater in its own domain without a policy file.
- HTTP policy files may no longer be used to authorize socket connections. Prior to version 9,0,115,0, an HTTP policy file, served from the master location of /crossdomain.xml on port 80, could be used to authorize a socket connection to any port 1024 or greater on the same host.
So with the tighter security measures, a policy file has to be fetched on port 843 or on the same port on which a connection is desired. That leads to another problem. The policy file request made by the player has a simple format: clear text <policy-file-request/> is sent as raw data bytes on the ports.
As most firewalls (specially application firewalls) block such raw data traffic (of unknown protocols) on all the ports, this means that the policy file fetch will almost always fail if the user is behind any firewall.
This will render all SWFs, that do not use ports 80/443/25, unusable. Does anyone know what is the solution to this problem? Is there a way to get the crossdomain file if <policy-file-request /> is blocked?
