Flash Player versions later than 126.96.36.199 change the permission requirements for socket connections, and HTTP policy files no longer authorize socket connections. Flash Player has two types of policy files:
- HTTP policy files, which are crossdomain.xml files on a server that define whether SWF files from other domains can load that server's content.
- Socket policy files, which define the ports to which Flash Player can connect using Socket or XMLSocket connections.
In earlier versions, a socket policy file, which is a policy file deployed by a socket, was not required to connect to ports greater than 1024, if:
- the domain that served the SWF file was the same as the domain of the socket connection, and
- the serving domain hosted a crossdomain.xml file.
This earlier configuration presented a risk to customers since an increasing number of critical services are served from ports greater than 1024. This change also help to mitigate the possibility of a DNS rebinding attack using Flash Player sockets to reach the victim's host. To mitigate this issue, Flash Player now requires a socket policy file for all socket connections, regardless of the destination port and the presence of a crossdomain.xml file. There is now a fixed master location for socket policy files on port 843. The policy file on this port will be able to define meta-policies that define whether or not other socket policy files are allowed on the host. By default, all socket policy files are acknowledged.
If your SWF files previously could connect to their origin host on ports greater than 1024 because there was a crossdomain.xml file, you must now have a socket policy file. The socket policy file can be served either from the master socket policy port (843) or from the same port as the socket connection.