With Adobe Flash Player versions later than 220.127.116.11, any of the following configurations may not work as intended:
- A SWF file attempts a socket or XMLSocket connection back to its own host, without performing a loadPolicyFile call to retrieve a socket policy file.
- A SWF file attempts a socket or XMLSocket connection back to its own host, and loads a policy file that does not list its own domain within the allowed domains.
- A SWF file attempts a socket or XMLSocket connection back to any host, with an HTTP policy file granting permission.
See the Diagnosis section for instructions to determine if this change affects your site.
Flash Player versions later than 18.104.22.168 change the permission requirements for socket connections, and HTTP policy files no longer authorize socket connections. Flash Player has two types of policy files:
- HTTP policy files, which are crossdomain.xml files on a server that define whether SWF files from other domains can load that server's content.
- Socket policy files, which define the ports to which Flash Player can connect using Socket or XMLSocket connections.
In earlier versions, a socket policy file, which is a policy file deployed by a socket, was not required to connect to ports greater than 1024, if
- the domain that served the SWF file was the same as the domain of the socket connection, and
- the serving domain hosted a crossdomain.xml file.
This earlier configuration presented a risk to customers since an increasing number of critical services are served from ports greater than 1024. This change also helps to mitigate the possibility of a DNS rebinding attack using Flash Player sockets to reach the victim's host. To mitigate this issue, Flash Player now requires a socket policy file for all socket connections, regardless of the destination port and the presence of a crossdomain.xml file. There is now a fixed master location for socket policy files on port 843. The policy file on this port will be able to define meta-policies that define whether other socket policy files are allowed on the host. By default, all socket policy files are acknowledged.
If your SWF files previously could connect to their origin host on ports greater than 1024 because there was a crossdomain.xml file, you must now have a socket policy file. The socket policy file can be served either from the master socket policy port (843) or from the same port as the socket connection.
Use the following information to determine if this change affects your site. Flash Player 22.214.171.124 introduced policy file logging, a new feature. The policy file log shows messages for every event relating to policy files: attempts to retrieve them, successes and failures in processing them, and the fates of the requests that depend on them. You can find a complete reference to policy file log messages in Appendix B of Policy file changes in Flash Player 9 and 10.
To use the policy file log:
- Install a Debug version of Flash Player 126.96.36.199 or later. You can use any type of Flash Player: ActiveX, Plug-In, or Standalone. You can get the Debug version of Flash Player from Flash Player Support Center Downloads.
- Determine the location of your mm.cfg configuration file. This is a general debugging configuration file that Debug versions of Flash Player read on startup. The mm.cfg file is located in your home directory. For example:
- Windows: C:\Documents and Settings\username
- Windows Vista: C:\Users\username
- Mac OS and Linux: /home/username
Create mm.cfg if it does not exist, and then add one or both of the following lines:
- PolicyFileLog=1 # Enables policy file logging
- PolicyFileLogAppend=1 # Optional; do not clear log at startup
- If PolicyFileLogAppend is not enabled, each new root-level SWF will clear the log file. If policyfilelogappendpolicyfilelogappend<> is enabled, the previous contents of the log file will always be kept, and the log file will grow at the end.
If many different root-level SWF files are loaded during your testing, you will probably want to enable PolicyFileLogAppend. However, if you enable PolicyFileLogAppend, you will probably need to rename manually or delete the log file occasionally or it will become very large, and it will be difficult to determine where previous output ends and new output begins.
- Find the location where policyfiles.txt, the policy file log, will be written. It does not necessarily exist yet; Flash Player will create it the next time a SWF file is run. You can find policyfiles.txt in the following locations:
- Windows: C:\Documents and Settings\username\Application Data\Macromedia\Flash Player\Logs
- Windows Vista: C:\Users\username[ AppData]\Roaming\Macromedia\Flash Player\Logs
- Mac OS: /Users/username/Library/Preferences/Macromedia/Flash Player/Logs (it is unconventional for a program to write log files to the Preferences directory, but that is in fact the case)
- Linux: /home/username/.macromedia/Flash_Player/Logs
To address this issue, you must create a socket policy file permitting the connection to the host. This policy file can be served either from the socket master policy location on port 843 or from the destination port of the socket connection. The socket policy file must include all domains that are allowed to connect to the socket, including itself. If the socket policy file is hosted from the master policy file location, include meta-policies where socket policy files are allowed to be located.
The changes for socket policy files are described in detail in Policy file changes in Flash Player 9 and 10. (Log messages are described in detail in Appendix B.)