Tuesday, December 11, 2012

( The Technology News Report ) Patcnews: Dec 11, 2012 The Patriot Conservative News Tea Party Network Reports Technology © All copyrights reserved By Patcnews


How to Block Pop On Google  
How to Block Pop Ups in Firefox (Update)




Advertising

Advertising keeps Google and many of the websites and services you use free of charge. We work hard to make sure that ads are safe, unobtrusive and as relevant as possible. For example, you won’t see pop-up ads on Google and we terminate the accounts of hundreds of thousands of publishers and advertisers that violate our policies each year – including ads containing malware, ads for counterfeit goods or those that attempt to misuse your personal information.

How Google uses cookies in advertising

Cookies help to make advertising more effective. Without cookies, it’s harder for an advertiser to reach its audience, or to know how many ads were shown and how many clicks they received.
Many websites, such as news sites and blogs, partner with Google to show ads to their visitors. Working with our partners, we may use cookies for a number of purposes, such as to stop you from seeing the same ad over and over again, to detect and stop click fraud, and to show ads that are likely to be more relevant (such as ads based on websites you have visited).
We store a record of the ads we serve in our logs. These server logs typically include your web request, IP address, browser type, browser language, the date and time of your request, and one or more cookies that may uniquely identify your browser. We store this data for a number of reasons, the most important of which are to improve our services and to maintain the security of our systems. We anonymize this log data by removing part of the IP address (after 9 months) and cookie information (after 18 months).

Our advertising cookies

To help our partners manage their advertising and websites, we offer many products, including AdSense, AdWords, Google Analytics, and a range of DoubleClick-branded services. When you visit a page that uses one of these products, either on one of Google’s sites or one of our partners’, various cookies may be sent to your browser.
These may be set from a few different domains, including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com, or googleadservices.com. Some of our advertising products enable our partners to use other services in conjunction with ours (like an ad measurement and reporting service) and these services may send their own cookies to your browser. These cookies will be set from their domains.
See more detail about the types of cookie used by Google and our partners, and how we use them.

How you can control advertising cookies

You can use Ads Settings to manage the Google ads you see and opt out of interest-based ads. Even if you opt out of interest-based ads, you may still see ads based on factors such as your general location derived from your IP address, your browser type and recent, previous searches related to your current search.
You can also manage many companies’ cookies used for online advertising via the consumer choice tools created under self-regulation programs in many countries, such as the US-based aboutads.info choices page or the EU-based Your Online Choices.
Finally, you can manage cookies in your web browser.

Other technologies used in advertising

Google’s advertising systems may use other technologies, including Flash and HTML5, for functions like display of interactive ad formats. We may use the IP address, for example, to identify your general location. We may also select advertising based on information about your computer or device, such as your device model, browser type, or sensors in your device like the accelerometer.

Location

Google’s ad products may receive or infer information about your location from a variety of sources. For example, we may use the IP address to identify your general location; we may receive precise location from your mobile device; we may infer your location from your search queries; and websites or apps that you use may send information about your location to us. Google uses location information in its ads products to infer demographic information, to improve the relevance of the ads you see, to measure ad performance and to report aggregate statistics to advertisers.

Advertising identifiers on mobile devices

To serve ads in services where cookie technology may not be available (for example, in mobile applications), we may use technologies that perform similar functions to cookies. Sometimes Google links the identifier used for advertising on mobile applications to an advertising cookie on the same device in order to coordinate ads across your mobile apps and mobile browser. This can happen, for example, when you see an ad within an app that launches a web page in your mobile browser. This also helps us improve the reports we give to our advertisers on the effectiveness of their campaigns.
To opt out of interest-based ads on your mobile device, follow the instructions below.

Android

Find Google Settings in one of these places (depending on your device):
  • A separate app called Google Settings
  • In your main Settings app, scroll down and tap Google
Touch Ads.
Switch on "Opt out of interest-based ads."

iOS

Devices with iOS 6 and above use Apple’s Advertising Identifier. To learn more about your choices for use of this identifier, visit the Settings menu on your device.

What determines the ads by Google that I see?

Many decisions are made to determine which ad you see.
Sometimes the ad you see is based on your current or past location. Your IP address is usually a good indication of your approximate location. So you might see an ad on the homepage of YouTube.com that promotes a forthcoming movie in your country, or a search for ‘pizza’ might return results for pizza places in your town.
Sometimes the ad you see is based on the context of a page. If you’re looking at a page of gardening tips, you might see ads for gardening equipment.
Sometimes you might also see an ad on the web that’s based on your app activity, or an in-app ad that’s based on your web activity, or based on your activity on another device, if you've previously signed in to your Google account on another device.
Sometimes the ad you see on a page is served by Google but selected by another company. For example, you might have registered with a newspaper website. From information you’ve given the newspaper, it can make decisions about which ads to show you, and it can use Google’s ad serving products to deliver those ads.
You may also see ads on Google products and services, including Search, Gmail, and YouTube, based on information, such as your email address that you provided to advertisers and the advertisers then shared with Google.

Why am I seeing ads by Google for products I’ve viewed?

You may see ads for products you previously viewed through what's known as remarketing. Let’s suppose you visit a website that sells golf clubs, but you don’t buy those clubs on your first visit. The website owner might want to encourage you to return and complete your purchase. Google offers services that let website operators target their ads to people who visited their pages.
For this to work, Google either reads a cookie that’s already in your browser or places a cookie in your browser when you visit the golfing site (assuming your browser lets this happen).
When you visit another site that works with Google, which may have nothing to do with golfing, you might see an ad for those golf clubs. That’s because your browser sends Google the same cookie. In turn, we may use that cookie to serve you an ad that could encourage you to buy those golf clubs.
Your visit to the golfing site may also be used by Google to show you customized ads when you later search for golf clubs on Google.
We do have restrictions on remarketing. For example, we prohibit advertisers from remarketing based on sensitive information, such as health information or religious beliefs.
Learn more about Google ads.

 

Technologies and Principles

At Google, we pursue ideas and products that often push the limits of existing technology. As a company that acts responsibly, we work hard to make sure any innovation is balanced with the appropriate level of privacy and security for our users. Our Privacy Principles help guide decisions we make at every level of our company, so we can help protect and empower our users while we fulfill our ongoing mission to organize the world’s information.

Privacy principles


  1. Use information to provide our users with valuable products and services.
    “Focus on providing the best user experience” is the first tenet of Google’s philosophy. When users share information with us, it allows us to build services and products that are valuable to them. We believe that focusing on the user fosters both the products and privacy-enhancing features that have fueled innovation and built a loyal audience of users online.
    We learn from the typos and spelling mistakes we all make when searching to help give you quicker and more accurate search results. So if you type [grizzly pears] we can guess you probably meant [grizzly bears].
  2. Develop products that reflect strong privacy standards and practices.
    Our ambition is to be at the leading edge of technology, including the development of tools that help users manage their personal information in a simple, accessible manner without detracting from a valuable user experience. We comply with privacy laws, and additionally work internally and with regulators and industry partners to develop and implement strong privacy standards.
    We designed Google+ with circles to make it easy to share different things with different people. So you can put your friends in one circle, your family in another and your boss in a circle all by himself – just like real life.
  3. Make the collection of personal information transparent.
    We strive to show users the information used to customize our services. Where appropriate, we aim to be transparent about the information we have about individual users and how we use that information to deliver our services.
    Google Dashboard helps answer the question, “What does Google know about me?” It shows you the information stored in your Google Account, like your last Blogger blog or your uploaded photos, and enables you to change your privacy settings for many Google products from one central location.
  4. Give users meaningful choices to protect their privacy.
    People have different privacy concerns and needs. To best serve the full range of our users, Google strives to offer them meaningful and fine-grained choices over the use of their personal information. We believe personal information should not be held hostage and we are committed to building products that let users export their personal information to other services. We don’t sell users’ personal information.
    With our privacy tools you can encrypt the search traffic between your computer and Google, browse the internet in private, delete your search history, move your data out of Google products easily with our Data Liberation effort, and much more.
  5. Be a responsible steward of the information we hold.
    We recognize our responsibility to protect the data that users entrust to us. We take security issues seriously and work together with a large community of users, developers and external security experts to make the Internet safer and more secure.
    We design security and resilience into our products from the ground up. Our automated scanners use data to protect millions of users each day from malware, phishing scams, fraud, and spam.

 

Google Terms of Service

Last modified: April 14, 2014 (view archived versions)

Welcome to Google!

Thanks for using our products and services (“Services”). The Services are provided by Google Inc. (“Google”), located at 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States.
By using our Services, you are agreeing to these terms. Please read them carefully.
Our Services are very diverse, so sometimes additional terms or product requirements (including age requirements) may apply. Additional terms will be available with the relevant Services, and those additional terms become part of your agreement with us if you use those Services.

Using our Services

You must follow any policies made available to you within the Services.
Don’t misuse our Services. For example, don’t interfere with our Services or try to access them using a method other than the interface and the instructions that we provide. You may use our Services only as permitted by law, including applicable export and re-export control laws and regulations. We may suspend or stop providing our Services to you if you do not comply with our terms or policies or if we are investigating suspected misconduct.
Using our Services does not give you ownership of any intellectual property rights in our Services or the content you access. You may not use content from our Services unless you obtain permission from its owner or are otherwise permitted by law. These terms do not grant you the right to use any branding or logos used in our Services. Don’t remove, obscure, or alter any legal notices displayed in or along with our Services.
Our Services display some content that is not Google’s. This content is the sole responsibility of the entity that makes it available. We may review content to determine whether it is illegal or violates our policies, and we may remove or refuse to display content that we reasonably believe violates our policies or the law. But that does not necessarily mean that we review content, so please don’t assume that we do.
In connection with your use of the Services, we may send you service announcements, administrative messages, and other information. You may opt out of some of those communications.
Some of our Services are available on mobile devices. Do not use such Services in a way that distracts you and prevents you from obeying traffic or safety laws.

Your Google Account

You may need a Google Account in order to use some of our Services. You may create your own Google Account, or your Google Account may be assigned to you by an administrator, such as your employer or educational institution. If you are using a Google Account assigned to you by an administrator, different or additional terms may apply and your administrator may be able to access or disable your account.
To protect your Google Account, keep your password confidential. You are responsible for the activity that happens on or through your Google Account. Try not to reuse your Google Account password on third-party applications. If you learn of any unauthorized use of your password or Google Account, follow these instructions.

Privacy and Copyright Protection

Google’s privacy policies explain how we treat your personal data and protect your privacy when you use our Services. By using our Services, you agree that Google can use such data in accordance with our privacy policies.
We respond to notices of alleged copyright infringement and terminate accounts of repeat infringers according to the process set out in the U.S. Digital Millennium Copyright Act.
We provide information to help copyright holders manage their intellectual property online. If you think somebody is violating your copyrights and want to notify us, you can find information about submitting notices and Google’s policy about responding to notices in our Help Center.

Your Content in our Services

Some of our Services allow you to upload, submit, store, send or receive content. You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours.
When you upload, submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. This license continues even if you stop using our Services (for example, for a business listing you have added to Google Maps). Some Services may offer you ways to access and remove content that has been provided to that Service. Also, in some of our Services, there are terms or settings that narrow the scope of our use of the content submitted in those Services. Make sure you have the necessary rights to grant us this license for any content that you submit to our Services.
Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.
If you have a Google Account, we may display your Profile name, Profile photo, and actions you take on Google or on third-party applications connected to your Google Account (such as +1’s, reviews you write and comments you post) in our Services, including displaying in ads and other commercial contexts. We will respect the choices you make to limit sharing or visibility settings in your Google Account. For example, you can choose your settings so your name and photo do not appear in an ad.
You can find more information about how Google uses and stores content in the privacy policy or additional terms for particular Services. If you submit feedback or suggestions about our Services, we may use your feedback or suggestions without obligation to you.

About Software in our Services

When a Service requires or includes downloadable software, this software may update automatically on your device once a new version or feature is available. Some Services may let you adjust your automatic update settings.
Google gives you a personal, worldwide, royalty-free, non-assignable and non-exclusive license to use the software provided to you by Google as part of the Services. This license is for the sole purpose of enabling you to use and enjoy the benefit of the Services as provided by Google, in the manner permitted by these terms. You may not copy, modify, distribute, sell, or lease any part of our Services or included software, nor may you reverse engineer or attempt to extract the source code of that software, unless laws prohibit those restrictions or you have our written permission.
Open source software is important to us. Some software used in our Services may be offered under an open source license that we will make available to you. There may be provisions in the open source license that expressly override some of these terms.

Modifying and Terminating our Services

We are constantly changing and improving our Services. We may add or remove functionalities or features, and we may suspend or stop a Service altogether.
You can stop using our Services at any time, although we’ll be sorry to see you go. Google may also stop providing Services to you, or add or create new limits to our Services at any time.
We believe that you own your data and preserving your access to such data is important. If we discontinue a Service, where reasonably possible, we will give you reasonable advance notice and a chance to get information out of that Service.

Our Warranties and Disclaimers

We provide our Services using a commercially reasonable level of skill and care and we hope that you will enjoy using them. But there are certain things that we don’t promise about our Services.
OTHER THAN AS EXPRESSLY SET OUT IN THESE TERMS OR ADDITIONAL TERMS, NEITHER GOOGLE NOR ITS SUPPLIERS OR DISTRIBUTORS MAKE ANY SPECIFIC PROMISES ABOUT THE SERVICES. FOR EXAMPLE, WE DON’T MAKE ANY COMMITMENTS ABOUT THE CONTENT WITHIN THE SERVICES, THE SPECIFIC FUNCTIONS OF THE SERVICES, OR THEIR RELIABILITY, AVAILABILITY, OR ABILITY TO MEET YOUR NEEDS. WE PROVIDE THE SERVICES “AS IS”.
SOME JURISDICTIONS PROVIDE FOR CERTAIN WARRANTIES, LIKE THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. TO THE EXTENT PERMITTED BY LAW, WE EXCLUDE ALL WARRANTIES.

Liability for our Services

WHEN PERMITTED BY LAW, GOOGLE, AND GOOGLE’S SUPPLIERS AND DISTRIBUTORS, WILL NOT BE RESPONSIBLE FOR LOST PROFITS, REVENUES, OR DATA, FINANCIAL LOSSES OR INDIRECT, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES.
TO THE EXTENT PERMITTED BY LAW, THE TOTAL LIABILITY OF GOOGLE, AND ITS SUPPLIERS AND DISTRIBUTORS, FOR ANY CLAIMS UNDER THESE TERMS, INCLUDING FOR ANY IMPLIED WARRANTIES, IS LIMITED TO THE AMOUNT YOU PAID US TO USE THE SERVICES (OR, IF WE CHOOSE, TO SUPPLYING YOU THE SERVICES AGAIN).
IN ALL CASES, GOOGLE, AND ITS SUPPLIERS AND DISTRIBUTORS, WILL NOT BE LIABLE FOR ANY LOSS OR DAMAGE THAT IS NOT REASONABLY FORESEEABLE.

Business uses of our Services

If you are using our Services on behalf of a business, that business accepts these terms. It will hold harmless and indemnify Google and its affiliates, officers, agents, and employees from any claim, suit or action arising from or related to the use of the Services or violation of these terms, including any liability or expense arising from claims, losses, damages, suits, judgments, litigation costs and attorneys’ fees.

About these Terms

We may modify these terms or any additional terms that apply to a Service to, for example, reflect changes to the law or changes to our Services. You should look at the terms regularly. We’ll post notice of modifications to these terms on this page. We’ll post notice of modified additional terms in the applicable Service. Changes will not apply retroactively and will become effective no sooner than fourteen days after they are posted. However, changes addressing new functions for a Service or changes made for legal reasons will be effective immediately. If you do not agree to the modified terms for a Service, you should discontinue your use of that Service.
If there is a conflict between these terms and the additional terms, the additional terms will control for that conflict.
These terms control the relationship between Google and you. They do not create any third party beneficiary rights.
If you do not comply with these terms, and we don’t take action right away, this doesn’t mean that we are giving up any rights that we may have (such as taking action in the future).
If it turns out that a particular term is not enforceable, this will not affect any other terms.
The laws of California, U.S.A., excluding California’s conflict of laws rules, will apply to any disputes arising out of or relating to these terms or the Services. All claims arising out of or relating to these terms or the Services will be litigated exclusively in the federal or state courts of Santa Clara County, California, USA, and you and Google consent to personal jurisdiction in those courts.
For information about how to contact Google, please visit our contact page.

 

Policy file changes in Flash Player 9 and Flash Player 10




This article refers to Flash Player 9 Update 3 (9,0,115,0), Flash Player 9 April 2008 Security Update (9,0,124,0), Flash Player 10.0 (1,0,2,xx and later) and Flash Player 11.x.
For more information on the structure of cross-domain policy files used to permit the sharing of data by client-side applications across domains, refer to Cross-domain policy file specification. For information on serving socket policy files from Linux and Windows hosts, you may find Setting up a socket policy file server very helpful.
Note: This article was updated in October 2008. There are only three substantial changes to be aware of: Flash Player 9,0,124,0 has implemented fully strict behavior for sockets (Phase 1.5); Flash Player 10.0 has implemented Phase 2 of the new restrictions; and the Phase 2 default URL meta-policy has been changed from the maximally restrictive none to the less restrictive master-only, permitting URL master policy files (those at /crossdomain.xml) to continue working without the introduction of a meta-policy.
In 2003, Flash Player 7 software introduced a channel of client-server communication that was new to the web: direct cross-domain data loading, authorized by policy files. Before policy files, web content could only perform two-way communication with its own server, such as runtime configuration or transactions without page reloads. Policy files allowed servers to open up their data selectively to client content from other domains, or generally to content from anywhere. Since the introduction of policy files, domain boundaries have been less of a barrier for authors of rich Internet applications.
Like most new technologies, policy files weren't perfect when they were first introduced. After four years, the Internet security community has found two undesirable situations (described later in this article) that can arise from the existence of policy files. The basic premise of policy files remains valid, and Flash developers can continue to rely on policy files just as they have since Flash 6. To address the new concerns, however, Adobe is specifying some stricter rules for the use of policy files. Additionally, there are a number of improvements that make policy files more useful and usable. We will try to explain the reasons for our changes clearly and simply.
This article assumes some familiarity with policy files. For a detailed introduction to policy files, see the Flash Player Security chapter of Programming ActionScript 3.0 on Adobe LiveDocs; Cross-domain policy file usage recommendations for Flash Player; and the Cross-domain policy file specification. For information about HTTP header-sending permissions in policy files, which is not covered in this article, see the relevant section in Understanding Flash Player 9 April 2008 Security Update compatibility.

How websites need to respond

To conform to the stricter rules, websites that serve policy files will need to make some minor changes. These changes are mainly for the protection of those sites themselves—essentially a new set of security best practices concerning policy files.
For most sites, we don't expect the changes to be difficult—but because of the large number of sites impacted, Adobe implemented the stricter requirements in Flash Player in three phases. In Phase 1, which began with Flash Player 9,0,115,0, a small number of strict rules were enforced immediately, but most violations of the strict rules resulted only in warnings visible in Debug versions of Flash Player. In Phase 1.5, which began with Flash Player 9,0,124,0, the warnings of Phase 1 became errors in the specific case of socket operations. In Phase 2, which began with Flash Player 10.0, all of the warnings of Phase 1 became errors and the transition to stricter rules was complete.
We recommend that website administrators follow these steps:
  1. Immediately: Read the section on immediate strictness, then follow the workflow steps for diagnosing and fixing immediate issues. This step only applies to sites that serve Flash Player compatible content (SWF files). This step accounts for the effects of Phase 1.
  2. Immediately: Read the section on socket policy files, then follow the workflow steps for configuring socket policy files. This step applies primarily to sites that already provide policy files, but can also provide useful defensive measures to sites with no policy files or SWF files. This step accounts for the effects of Phase 1.5.
  3. As time permits: Read the section on meta-policies, then follow the workflow steps for choosing and configuring a meta-policy. This step applies primarily to sites that already provide policy files, but can also provide useful defensive measures to sites with no policy files or SWF files. This step accounts for the effects of Phase 2.

Issues addressed

Two issues are addressed by the stricter policy file rules:
Policy file control. There is a possibility that a file on a server that does not appear to be a policy file may in fact be used as a policy file. For example, if a server permits uploads by users, but does not intend to open data for cross-domain access, it is possible that a user could deliberately construct a policy file but disguise it as a different type of file, such as an ordinary text, XML, or HTML file, or even as a binary type, such as a PNG or JPEG image file. A user who successfully uploaded this disguised policy file could then write a SWF file that takes advantage of the disguised policy file to load data from outside the server's domain. Similarly, a site maintainer with limited privileges could add a policy file to the site against an administrator's wishes, or even accidentally create a policy file they did not intend to. This issue is essentially one of controlling what policy files are permitted to exist on a server. Server administrators should be able both to set a server-wide policy on policy files (we call this a meta-policy), and to easily search for all policy files on their server, allowing auditing of all cross-domain permissions present on the server. The stricter policy file rules in Flash Player allow meta-policy declarations by server administrators, and perform greater sanity checking on policy files to help ensure that they are properly formatted.
DNS hardening. A class of cross-site scripting attacks known as DNS rebinding can target Flash Player, as well as browsers, virtual machines, and other user-agent programs. A DNS rebinding attack exploits a user-agent's same-origin policy, in which content from a given Internet domain is permitted to load and communicate with other resources in its own domain without explicit permission. An attacker who controls their own domain, and runs their own DNS server, can dynamically reconfigure their DNS server so that a given domain name resolves first to an IP address under the attacker's control (which may be used to serve a malicious SWF file or other content), then later to a different IP address that the attacker does not control. If the user-agent program does not detect the change in IP addresses, its same-origin policy will permit the attacker's content to access the second IP address without permission from the second host. Flash Player relies on browsers to provide HTTP networking, so any rebinding vulnerabilities that involve only HTTP must be solved in browsers. However, Flash Player also provides socket-level networking (via the ActionScript Socket and XMLSocket classes), and the strict policy file rules in Flash Player 9,0,115,0 help mitigate DNS rebinding vulnerabilities as they pertain to sockets. Specifically, the strict rules always require permission from a socket policy file in order to make a socket connection, even when the socket server appears to be the same as a connecting SWF file's domain of origin. In addition, beginning with version 9,0,115,0, Flash Player matches socket connections to their corresponding socket policy files based on IP addresses, not just domain names.

Other improvements

While addressing the above issues, we have also added some new features to make policy files more useful and usable:
  • Verbose logging of policy file events from Debug versions of Flash Player. All failures and successes in loading and processing policy files are reported, as well as failures and successes of operations that depend on those policy files. This should help not only with the transition to the stricter rules, but also generally in finding and solving problems with any policy file deployment.
  • A fixed socket master policy file port, TCP port 843, that is consulted by default for socket policy files. This provides a standard way to serve socket policy files, rather than the "choose any port" system used previously.
  • An option to require strong client authentication for local sockets. Socket policy files served from localhost sockets may now specify that only HTTPS SWFs from given domains may connect, using the secure="true" declaration previously reserved for HTTPS policy files. This can help secure hybrid applications that couple online Flash content with native local applications.

Changes in behavior due to immediate strictness


While most of the Policy file changes in Flash Player 9,0,115,0 generated only developer warnings, a few of the changes immediately resulted in changed functionality that may prevent SWF applications from working as intended. We made these immediate changes only for patterns of behavior that we believed were highly unlikely to occur in legitimate content. Still, we realize some legitimate content was affected.
For a quick, step-by-step guide to finding and fixing problems resulting from immediate strictness, see the workflow for immediate issues. However, we encourage anyone who may be affected (which is anyone responsible for SWF content) to read this introductory section first.

Malformed policy files

Unlike all other changes described in this article, Flash Player's restrictions on malformed policy files were not new to version 9,0,115,0. These restrictions have been enforced since version 9,0,47,0. However, starting in version 9,0,115,0, problems resulting from these restrictions should be easier to find due to the new logging mechanism.
Flash Player now rejects any policy file whose contents are not properly formatted. Invalid formatting can result from:
  • Leading or trailing extraneous content—anything (other than XML comments and declarations) that comes before the opening <cross-domain-policy> tag or after the closing </cross-domain-policy> tag. Note that this kind of extraneous content actually makes a file invalid as an XML document.
  • A top-level XML tag that is not <cross-domain-policy>.
  • Text (other than comments) inside any tag.
Flash Player rejects malformed policy files as part of the policy file control improvements. A malformed policy file can sometimes be an indication that Flash Player might be seeing a file that a website administrator did not intend to be usable as a policy file.
Adobe now provides XML Schema documents that you can use to validate policy file tags and formatting, if you wish. (This is an optional step, and if you're not familiar with XML Schema documents, you can safely skip it.) The schemas appear here:
PolicyFile.xsd is a generic schema for all policy files. The other four schemas restrict policy file syntax further for various protocols.
As with all issues of immediate strictness, follow the workflow for immediate issues to determine whether your SWF content is affected by malformed policy files. If you do find reports of malformed policy files in your logs, you (or whoever controls the affected policy files) should edit the policy files to remove any extraneous content, correct misspellings, etc.

Within-domain redirects

Since policy files were introduced, Flash Player has always ignored a policy file if an HTTP server returned a redirect to another domain when the policy file was requested. However, within-domain redirects were allowed, and Flash Player would consider a policy file's effective location to be its initially requested URL, even if the request for the policy file was redirected to a different location on the same server. The effective location of a policy file is important, because it dictates the scope of the policy file—the set of resources to which the policy file allows access. For example, a policy file located at http://example.com/directory1/crossdomain.xml would permit access to resources located at http://example.com/directory1/ and below, but not to resources in other locations on the same server, such as http://example.com/elsewhere/. In general, Adobe recommends against using redirects for policy files, as they can make it more difficult to predict the effective permissions on a site.
Starting with version 9,0,115,0, Flash Player will still accept policy files that are delivered with same-domain redirects, but will use the final URL, rather than the initial URL, as the effective location of a redirected policy file. For example, if the location http://example.com/forks/crossdomain.xml is redirected to http://example.com/spoons/crossdomain.xml, the resulting policy file will permit access to http://example.com/spoons/ and below, but not to locations under http://example.com/forks/.
Flash Player uses final redirected URLs as part of the policy file control improvements. Administrators should be able to easily determine the set of policy file permissions on a server. But if the initial URL of a redirect is used as its effective location, then the existence of a policy file could be simulated anywhere on the site by creating a redirect. By using only final URLs as effective locations, Flash Player helps ensure that only deliberate and obvious policy files can be used. A redirect will only cause an already established policy file to be loaded, rather than altering the permissions on a site.
Hopefully, redirected policy files are rare, but as with all issues of immediate strictness, follow the workflow for immediate issues to determine whether your SWF content is affected by policy file redirects. If you do find reports of policy file redirects in your logs, that by itself is not necessarily an indication that content will not function as intended, but it can serve as a clue if a later operation that was intended to be allowed is not allowed.
It is particularly problematic to redirect requests for the master HTTP policy file location, at /crossdomain.xml. Doing so will strip the resulting policy file of its status as master. It will then be impossible for that site to have a master policy file at all, which hinders common operations like declaring a meta-policy.

Content-type whitelist

Starting in version 9,0,115,0, Flash Player will ignore any HTTP policy file that is not sent with a Content-Type value that gives some assurance that the file is intended to be a text file. Flash Player requires that a policy file's Content-Type must be one of the following:
  • text/* (any text type)
  • application/xml or application/xhtml+xml
Content-Type values are determined from the response headers provided by HTTP servers. Servers may choose a Content-Type based on a file's name, extension, location, contents, or the instructions of a server script generating the file. If you need to change the Content-Type associated with a policy file, you may need to reconfigure a registry mapping filename extensions to Content-Type values, or edit a general server configuration file. Consult the documentation for your HTTP server.
As with all issues of immediate strictness, follow the workflow for immediate issues to help determine whether your SWF content is affected by non-textual Content-Type values, and for steps you can take to change Content-Type values on several popular HTTP server platforms. If you find that you need to solve a Content-Type issue, be sure to also consult the section on meta-policies, because a common way to choose a meta-policy is to designate the special Content-Type of text/x-cross-domain-policy for all policy files, which may solve two problems at once—establishing a meta-policy and providing a textual Content-Type.
Flash Player requires textual Content-Type values as part of the policy file control improvements. A policy file with a non-textual Content-Type can sometimes be an indication that Flash Player might be seeing a file that a website administrator did not intend to be usable as a policy file.
When Flash Player runs inside a browser, enforcement of the Content-Type whitelist is dependent on Flash Player being able to read HTTP response headers from the browser's networking stack. Most recent browsers enable this, but some older browsers do not. For a list of browsers that are and are not expected to support HTTP response headers, see Appendix A. If Flash Player finds that it cannot read HTTP response headers, a warning message will be generated in the policy file log, and policy files will be accepted regardless of their Content-Type, or even if they have no Content-Type at all.

Immediately strict sockets

Note: This section provides historical information only. Since the release of Flash Player 9,0,124,0, which implemented Phase 1.5 of strict policy file rules, all sockets have been treated with strict rules. This section only describes differences between Flash Player versions 9,0,115,0 and 9,0,124,0, which are now largely unimportant to maintainers of socket servers, since servers must now be prepared to encounter version 9,0,124,0 or later.
Starting in version 9,0,115,0, Flash Player defines a set of stricter rules for socket policy files. Socket policy files authorize ActionScript language connections to socket servers. The strict rules are described in detail in the section on socket policy files, but in brief, they state that permission from a socket policy file is always required in order to make any ActionScript socket connection. The previous rules permitted SWF files to make socket connections to high-numbered ports in their own domain without a policy file, and permitted any SWF file to connect to a high-numbered socket port based only on an HTTP policy file. These situations are no longer permitted under the strict socket rules.
For most socket servers, the strict rules were rolled out in two phases, with violations generating only warnings in Phase 1, unless hosts opted in to the new rules. However, for a few special kinds of sockets, the strict rules were applied immediately, even in Phase 1. These were:
  • Sockets on the local machine where Flash Player is running, except sockets that are identified as localhost in ActionScript. Local sockets are those at loopback addresses (127.0.0.1 in IPv4, ::1 in IPv6) and at locally assigned outward-facing addresses (such as the address assigned to an Ethernet adapter). This rule forms part of Flash Player's DNS hardening improvements. The system of opting in to strict socket rules is appropriate for server hosts, but not for local machines, which most users do not treat as servers. This rule helps prevent malicious DNS servers from resolving a host name first to a remote address (to deliver a SWF file), then later to a local address (to connect to a local service). The special name localhost is exempted from this rule because there is generally no possibility of remote DNS being involved in resolving localhost.
  • Sockets at link-local IP addresses, except sockets that are identified as *.local (any name ending in .local) in ActionScript. Link-local IP addresses are those assigned only on a single link (one network segment, such as a point-to-point connection or a network hub). Link-local addresses are often used for "zero-configuration" peer-to-peer networking. They take the form 169.254.* in IPv4, and fe80:* in IPv6. This case is very similar to the local case above. The .local exemption reflects the fact that there is generally no possibility of remote DNS being involved in resolving a .local address.
  • Sockets on ports numbered 1024 or higher that serve their own socket policy files, and do not list their own domain in policy file contents. This is actually not a separate rule; it is a consequence of the system for opting in to strict socket rules. Any socket that serves its own socket policy file automatically opts into the new rules. If a SWF file is making a connection to such a socket in its own domain, under the old rules, a policy file would not have been necessary, but under the strict rules, a socket policy file is necessary. If the socket policy file served by the socket happens not to list its own domain, SWF files from the same domain may not be able to connect.
As with all issues of immediate strictness, follow the workflow for immediate issues to determine whether your SWF content is affected by immediately strict sockets, and for steps to remedy any problems you find.

Meta-policies


The primary change in support of the policy file control improvements in Flash Player 9,0,115,0 is the introduction of meta-policies. A meta-policy is a "policy on policies"—a designation by a server administrator as to what policy files are permitted to exist on a server.
For a quick, step-by-step guide to choosing a meta-policy for a server, see the workflow for meta-policies. However, we encourage anyone who maintains a server to read this introductory section first. This includes servers that do not expect to serve any Flash Player compatible content, as such servers can still be vulnerable to policy-file-based attacks.

Why have meta-policies?

As explained in the description of the policy file control improvements, the goal of meta-policies is to help ensure that policy files can only be created with proper authorization. But in order to choose a meta-policy, it is important to understand what policy files do, and what effects an unauthorized policy file can have (see Figure 1).

Data flow enabled by a policy file
Figure 1. Data flow enabled by a policy file

In this diagram, the site b.com hosts a policy file that grants permission for a.com. This means that a SWF file from a.com can load data directly from some or all of the b.com site (how much depends on the policy file's location).
The administrator of b.com has to be careful with policy files, because they give permission for SWF files from other domains to operate with users' credentials when accessing b.com. In the diagram above, the user browses to a SWF file on a.com (1), or perhaps a SWF file from a.com is embedded in some other site, c.com (not shown). The SWF file from a.com obtains permission to load data from b.com using the policy file on b.com (2). Now the SWF file can load data from b.com (3), taking advantage of any credentials that enable the user to access b.com. If the SWF file wishes to, it can upload any data it finds on b.com back to its own server at a.com (4).
It is important here to compare, on one hand, the access credentials that the a.com server would have if it directly accessed b.com, and on the other hand, the access credentials that a user has to b.com. If the user is able to access b.com because they are inside a network firewall that b.com is also inside, or if the user is able to access b.com because they have provided a login and received an HTTP cookie, then the user has greater privileges than the a.com server. In this situation, it may be risky to create a policy file on b.com because then SWF files from a.com must be trusted not to disclose data that is private to b.com, the user, or both.
Given the potential of policy files to create this kind of data vulnerability, it is important for a server administrator to be able to limit the creation of policy files (thus avoiding vulnerabilities), and to easily find all policy files on the server at any given time (thus auditing the current set of permissions). Some servers may allow content contributions from personnel who lack administrative rights, and other servers may even serve content defined by end users. It is often not appropriate to allow these kinds of contributors to create policy files.
This is where meta-policies may help. By choosing an appropriate meta-policy, an administrator can completely prohibit the creation of policy files, completely allow the creation of policy files in any location, or take an intermediate approach, permitting only certain policy files by whatever criteria are desired.
Note that meta-policies are useful even for servers that do not expect to serve any Flash Player compatible content. If b.com is an HTML-only server inside a firewall, and someone has managed to create a policy file on b.com, then a SWF file from any site a.com on the Internet can attempt to retrieve data from b.com when a user with access to b.com views a SWF file from a.com. The same logic holds if b.com is a server on the Internet, but accepts login credentials. Thus, it benefits b.com to declare a meta-policy even though it does not expect to serve any Flash Player compatible content. (The likely meta-policy for such a server would be none, preventing any policy files from existing on that server.)

Scope of meta-policies

The following kinds of servers can declare meta-policies:
  • HTTP and HTTPS servers. Each server makes its own meta-policy declaration, which does not affect other servers. For example, the meta-policy of an HTTP server at port 80 affects only that server, and not an HTTP server at port 8080 on the same host. Likewise, the meta-policy of an HTTP server does not affect an HTTPS server on the same host, or vice versa.
  • FTP servers. Again, each server makes its own meta-policy declaration.
  • Entire hosts can declare a socket meta-policy, which governs low-level socket connections to that host on all ports. Low-level socket connections are those initiated using the ActionScript Socket and XMLSocket classes. Higher-level connections to HTTP and FTP servers, using any ActionScript APIs other than Socket and XMLSocket, should not be impacted by socket meta-policies, only by the meta-policy of the particular server involved. We sometimes refer to HTTP, HTTPS, and FTP meta-policies as URL meta-policies to distinguish them from socket meta-policies. For more about socket meta-policies, see the section on socket policy files.
It is not currently necessary or useful to declare meta-policies, or create policy files, on servers other than the above types. The Flash Player networking primitives permit only connections to HTTP, HTTPS, and FTP servers, and directly at the socket level. SWF files can make connections to other types of servers using socket-level connections, but in this case, Flash Player is not aware of the higher protocol, and so makes the policy file check at the socket level, not at the higher level. (Flash Player does also permit connections to Flash Media Server using the RTMP family of protocols, but security works differently for RTMP, with the server, rather than Flash Player, making security decisions.)

Meta-policy options

The following meta-policies are available:
  • all: All policy files are allowed. This meta-policy is appropriate only for servers that are on the public Internet and do not serve any content that requires login credentials.
  • by-content-type: All policy files whose Content-Type is exactly text/x-cross-domain-policy are allowed. No other policy files are allowed. This meta-policy is only available for HTTP and HTTPS servers. Most HTTP servers provide flexible ways to decide how to assign a Content-Type, so this is the most useful option when it is desirable to permit some policy files, but not others. Common strategies for assigning the text/x-cross-domain-policy type are to specify it for individual locations, thus requiring administrator approval for each policy file; or to assign text/x-cross-domain-policy to any file whose name is crossdomain.xml, thus allowing policy files to exist anywhere, but making it easy to find such files, or filter them during uploads or other content-creation processes.
  • by-ftp-filename: All policy files named crossdomain.xml (i.e., those whose URLs end with /crossdomain.xml) are allowed. No other policy files are allowed. This meta-policy is only available for FTP servers. The required filename cannot be customized.
  • master-only: Only the master policy file, located at /crossdomain.xml, is allowed.
  • none: No policy files are allowed. If this meta-policy is declared in the master policy file, then the master policy file is permitted to exist solely for the purpose of declaring this meta-policy, and any <allow-access-from> directives that it contains will be ignored.
  • none-this-response: This is a special meta-policy that can only be specified in an HTTP response header. It helps prevents this particular HTTP response from being interpreted as a policy file. Unlike all other meta-policies, none-this-response affects only a single HTTP response, rather than declaring an overall meta-policy for the entire server. Also unlike all other meta-policies, none-this-response can appear in combination with any other meta-policy without conflict. When none-this-response and another meta-policy are both present, then the current HTTP response will not be allowed to be a policy file, but the additional meta-policy will be interpreted to be the overall meta-policy for the server. The none-this-response meta-policy is mainly useful when your server contains scripts that you do not want to allow to generate policy files. Since scripts can generally choose the Content-Type of their output, and generate arbitrary HTTP response headers, it would be difficult to filter script output looking for indications that the output represents a legal policy file. Instead, by appending a none-this-response meta-policy header to the output, you help make sure that whatever the script generates, it cannot generate a valid policy file. (In addition, if the script generates its own meta-policy HTTP response header, that cannot force the server to adopt a more open meta-policy than the one you specify, since meta-policy conflicts are always resolved by choosing the most restrictive meta-policy encountered.)

How to specify meta-policies

There are two ways to declare a meta-policy on an HTTP, HTTPS, or FTP server (socket policy files work differently):
  • Declare the meta-policy in the master policy file for that server—the policy file located at /crossdomain.xml. A new tag called <site-control> is included inside the top-level <cross-domain-policy> tag, and an attribute of the <site-control> tag called permitted-cross-domain-policies specifies the particular meta-policy to be used. Here is an example policy file declaring a meta-policy of by-content-type:

<cross-domain-policy> <site-control permitted-cross-domain-policies="by-content-type"/> </cross-domain-policy>

  • Declare the meta-policy in an HTTP response header called X-Permitted-Cross-Domain-Policies. This option is not available on FTP servers. In order to be effective, this header must be returned with every HTTP response, because there is no reliable way to detect whether a request is or is not for a policy file. Here is an example HTTP response header declaring a meta-policy of none:

HTTP/1.1 200 OK X-Permitted-Cross-Domain-Policies: none

If you need to specify two meta-policies (which is only legal when one of them is none-this-response), either provide the X-Permitted-Cross-Domain-Policies header twice, or provide it once with the meta-policy values separated by a semicolon. Both arrangements are standard practice for HTTP headers.
You should choose only one of the two mechanisms to declare a meta-policy. However, if you accidentally declare a meta-policy in both places, the meta-policy declared in the HTTP response header will take precedence over the meta-policy declared in the master policy file.
Each of the two approaches has advantages. Considerations include:
In favor of declaring meta-policies in the master policy file:
  • It is usually simpler to edit the master policy file than to return a new HTTP response header.
  • The master policy file technique works for both HTTP and FTP.
  • The master policy file technique avoids introducing an additional header to every HTTP response from the server.
In favor of declaring meta-policies in an HTTP response header:
  • It is not always possible to create a master policy file in the server's document root directory.
  • If a meta-policy is declared in the master policy file, but a non-master policy file is requested, Flash Player must retrieve the master policy file before accepting the non-master policy file. But if a meta-policy is declared in an HTTP response header, the extra request for the master policy file is not needed.
  • The server configuration needed to declare a meta-policy in an HTTP response header can generally be managed in a single server configuration file, without any need to alter any servable document content.
  • The none-this-response meta-policy can be provided to control the ability of scripts to generate policy files.
On HTTP and HTTPS servers, there is a rule to be aware of: if you do not explicitly declare a meta-policy in an HTTP response header or the master policy file, but you return any policy file with a Content-Type of text/x-cross-domain-policy, this will cause Flash Player to assume a meta-policy of by-content-type. This is not a good way to declare a meta-policy—just a fact to be aware of in case you accidentally end up in this situation.

Default meta-policies

If a server does not declare a meta-policy, there are two possible results:
  • In Phase 1, which began with Flash Player 9,0,115,0, the default meta-policy is all. This favors compatibility, helping ensure that sites continue to operate unaffected until a meta-policy is explicitly chosen.
  • In Phase 2, which began with Flash Player 10.0, the default meta-policy is master-only. This favors security while still maintaining a high level of compatibility with existing content. A site must explicitly choose a meta-policy before any of its contents other than the master policy file can be used as a policy file.
When Flash Player runs inside a browser, enforcement of meta-policies is dependent on Flash Player being able to read HTTP response headers from the browser's networking stack. Most recent browsers enable this, but some older browsers do not. For a list of browsers that are and are not expected to support HTTP response headers, see Appendix A. If Flash Player finds that it cannot read HTTP response headers, a warning message will be generated in the policy file log, and a meta-policy of all will be assumed for all domains. Note that when Flash Player cannot read HTTP response headers, all meta-policy declarations are ignored, including those that appear in master HTTP policy files rather than in HTTP response headers.

Why action is needed

There are two reasons to declare a meta-policy on your server:
  • If your server serves any non-master policy files, and you do not declare a meta-policy permitting those policy files, then they will stop working for users who install a Phase 2 version of Flash Player (Flash Player 10.0 or later).
  • Whether or not your server deliberately serves policy files, or even any Flash Player compatible content at all, anyone with the ability to create text files on your server can create a policy file, which may then be used to disclose data that is private to your server, your users, or both. Declaring a meta-policy ensures that the default meta-policy of all is not applied for users of Phase 1 versions of Flash Player.
The workflow for declaring a URL meta-policy takes you through the steps necessary to choose and apply a meta-policy.

Socket policy files


Most networking in ActionScript is URL-based, using HTTP, HTTPS, and FTP. However, ActionScript also supports the Socket and XMLSocket classes, which enables networking directly at the lower TCP socket level. Whereas URL networking is authorized by URL policy files, ActionScript socket-level connections are authorized by socket policy files.
Flash Player 9,0,115,0 and 9,0,124,0 introduce several changes to the way socket policy files work. These changes are primarily to support the goal of DNS hardening, helping to ensure that ActionScript cannot be used as a means for a DNS rebinding attack that results in an unauthorized socket connection.
For a quick, step-by-step guide to implementing a valid socket policy file configuration for a host, see the workflow for socket policy files. However, we encourage anyone who maintains a server host to read this introductory section first. This includes hosts that do not expect to serve any Flash Player compatible content, as such hosts can still be vulnerable to socket-based DNS rebinding attacks.
This section builds on the previous section on meta-policies, so be sure you've read that first.

Socket policy file background

This background section provides information that has been true since the introduction of socket policy files in Flash Player 7,0,19,0.
Socket policy files serve the same purpose as URL policy files: they authorize connections from client content. A URL policy file authorizes data loading from its own HTTP, HTTPS, or FTP server, whereas a socket policy file authorizes socket connections to its own host.
Note: We use the terms "URL policy files", "URL meta-policies", etc., to refer to networking over HTTP, HTTPS, and FTP. This is despite the fact that socket policy file locations can be expressed using URLs, for example as xmlsocket: URLs when calling loadPolicyFile from ActionScript.
All policy files have two essential attributes: permissions (the list of domains authorized to connect) and scope (the set of resources to which access is allowed). Socket policy files work identically to URL policy files as far as permissions are concerned, but socket policy file scopes work differently than URL policy file scopes.
The scope of a URL policy file is determined by its location, but the scope of a socket policy file is determined by the file's contents—specifically, by to-ports attributes that specify the TCP ports to which socket connections may be made.
A socket policy file may be served from any TCP port on a host, but a socket policy file from port 1024 or above may only authorize connections to ports 1024 and above. A socket policy file from a port below 1024 may authorize connections to any port on the host.
Socket policy files may be obtained from the same port as a main connection (the socket connection being made by ActionScript, which is authorized by a socket policy file), or from a different port, separate from the main connection. If you opt to serve a socket policy file from the same port as a main connection, the server listening on that port must understand socket policy file requests (which are indicated by a transmission of <policy-file-request/> from Flash Player), and must respond differently for policy file requests and main connection requests. It is usually easier to serve socket policy files from a separate port, because this centralizes the socket policy for a host in one place, and because most servers are not equipped to serve their own socket policy files.

Socket master policy files

Since policy files were first introduced, Flash Player has recognized /crossdomain.xml as a master location for URL policy files. However, prior to version 9,0,115,0, Flash Player did not recognize a fixed master location for socket policy files. Flash Player 9,0,115,0 introduces a concept of socket master policy files, which are served from the fixed TCP port number 843.
Socket master policy files serve several needs:
  • A fixed port number provides a standard way to serve a socket policy from a host. Previously, this arrangement was a decision that each host administrator had to make for themselves. With a fixed port number, a standalone socket policy file server can bind to port 843 by default, and it is easier for an administrator to find a socket policy on an unfamiliar machine.
  • A master location provides a way to declare a socket meta-policy. Socket meta-policies are similar to the URL meta-policies discussed earlier: they control what socket policy files are permitted to exist on a host. This is explained further in the section below on socket meta-policies.
  • Serving a socket policy file from port 843 provides a way for host administrators to indicate their desire to opt into new socket rules, even for Phase 1 versions of Flash Player. This is explained further in the section below on opting into strict socket rules.
  • A fixed master location can be checked automatically by Flash Player, without ActionScript having to call loadPolicyFile to inform Flash Player of the location of a socket policy file.
Note: Setting up a socket policy file server provides a brief background on the latest Flash Player socket functionality, as well as sample code for creating socket policy file servers in testing environments.
Adobe is applying with IANA, the Internet Assigned Numbers Authority, to reserve TCP port 843 for the purpose of serving socket policy files. This process may take a long time, but in the meantime Adobe is documenting this intended use of port 843 as broadly as possible.
Because port number 843 is below 1024, socket master policy files can authorize access to any port on a host. The 1024 boundary is important on Unix-style hosts, because typically such hosts require root access (i.e., administrative privileges) in order to bind a server to a port below 1024. This means that setting up a socket master policy file on a Unix-style host will typically require root access, which is a good protective measure for such hosts.
See the section on firewall traversability if you are concerned about serving socket master policy files through firewalls.

Socket meta-policies

Socket meta-policies are similar to URL meta-policies. There are a few differences:
  • Socket meta-policies affect socket policy files, not URL policy files. A socket meta-policy affects an entire host, not just a single URL server.
  • Socket meta-policies can only be declared in a socket master policy file. The syntax is the same as for declaring a meta-policy in an URL master policy file, using the <site-control> tag. Socket meta-policies cannot be declared in HTTP response headers, as HTTP is not involved.
  • A different set of meta-policies is available for use as socket meta-policies than is available for use as URL meta-policies, and the default socket meta-policy is different from the default URL meta-policy.
The available socket meta-policies are:
  • all: Socket policy files are allowed from any port on this host. This meta-policy is appropriate only for hosts that are on the public Internet and do not serve any content that requires login credentials.
  • master-only: Only the socket master policy file, served from port 843, is allowed on this host.
  • none: No socket policy files are allowed on this host. If this meta-policy is declared in the master policy file, then the master policy file is permitted to exist solely for the purpose of declaring this meta-policy, and any <allow-access-from> directives that it contains will be ignored.
The default socket meta-policy is all. Flash Player will assume the meta-policy all for any host that does not serve a socket master policy file that declares a socket meta-policy. The default of all applies to both Phase 1 and Phase 2 implementations of Flash Player. This differs from the way URL policy files work—the default URL meta-policy for Phase 2 is master-only.
Thus, socket policy files have a different, more permissive default meta-policy than URL policy files. This is because sockets are much less likely than URL servers to experience a risk of unauthorized policy files. It is not uncommon for HTTP servers, for example, to serve user-generated content, or content created by personnel other than server administrators—so it makes sense to have (in Phase 2) a default URL meta-policy of master-only, thus helping ensure that administrators have proactively enabled policy files before anyone can create them. However, it would be much less common for a host to permit unauthorized users to install or modify entire servers listening on TCP ports, so it makes sense to have a default socket meta-policy of all, thus helping ensure that socket policy files can be created anywhere on a host unless an administrator specifically forbids it.

Strict socket rules

The primary change in support of the DNS hardening improvements in Flash Player 9,0,115,0 is the introduction of strict socket rules. These rules are:
  • A SWF file may no longer make a socket connection to its own domain without a socket policy file. Prior to version 9,0,115,0, a SWF file was permitted to make socket connections to ports 1024 or greater in its own domain without a policy file.
  • HTTP policy files may no longer be used to authorize socket connections. Prior to version 9,0,115,0, an HTTP policy file, served from the master location of /crossdomain.xml on port 80, could be used to authorize a socket connection to any port 1024 or greater on the same host.
These two rules can be summed up in a simple statement: under the strict socket rules, every socket connection requires permission from a socket policy file.
Like most of the policy file changes Flash Player 9, the strict socket rules were deployed in two phases. In Phase 1, which began with Flash Player 9,0,115,0, violations of the strict policy file rules resulted only in warnings that are visible to Flash developers using Debug versions of Flash Player. In Phase 1.5 , which began with Flash Player 9,0,124,0, these warnings became errors, possibly causing SWF files depending on the older rules to stop functioning as intended. Staring from Phase 1, host administrators have had the opportunity opt into the strict rules, helping ensure that their sites are protected against DNS rebinding attacks even for users who have Phase 1 versions of Flash Player.
The workflow for socket policy files provides details to help you find and solve issues that result from the introduction of strict socket rules. In brief, if you maintain any SWF files that make socket connections in one of the two situations described above, you will need to ensure that the host to which you are connecting serves a socket policy file. The usual way to do this is to set up a socket master policy file server on port 843, but see the workflow section for other options.

Opting into strict socket rules

For Phase 1 versions of Flash Player, the following configurations will cause a host to use strict socket rules. This is important information both for host administrators, who can opt into the more secure rules for their own protection, and for maintainers of SWF files, who should understand the effects that these configurations may have on the ability of their SWF files to make socket connections.
  • If a host serves a socket policy file from port 843 (a socket master policy file), strict socket rules will be applied for the entire host. This is true regardless of the contents of the policy file; even if the socket master policy file is empty, or declares the meta-policy all, the host will still use strict socket rules. All socket connections to this host will require permission from a socket policy file, which will most likely be the same socket master policy file that is triggering the transition to strict socket rules. This is the usual mechanism that host administrators should use to opt into strict socket rules.
  • If an HTTP server on port 80 declares a URL meta-policy in its master policy file at /crossdomain.xml, then that master HTTP policy file will not authorize socket connections to the same host. This configuration activates only one of the two strict socket rules for its host—the rule about SWF files connecting to their own hosts is unaffected.
  • If a non-master socket port serves a socket policy file, strict socket rules will be applied for that particular port. All socket connections to this port will require permission from a socket policy file, which will most likely be the same socket policy file that is being served from this port. An occasional unintended consequence of this rule is described in the section on immediately strict sockets: if a socket port 1024 or higher serves a socket policy file that does not list its own domain, then SWF files from that domain, which previously were permitted to connect without a policy file, will be unable to connect.

Secure domain lists

Since policy files were introduced, Flash Player has supported a special attribute in the <allow-access-from> directives of policy files from HTTPS servers: secure="true". When secure="true" is specified, SWF files from the domain or domains listed in that <allow-access-from> directive are permitted to retrieve data only if those SWF files are themselves retrieved over HTTPS. This helps protect the data from HTTPS servers, and helps ensure that it does not flow to SWF files whose origin cannot be strongly authenticated. (A SWF file that is served over HTTPS is much harder to forge than a SWF file that is served over HTTP, because of the domain-authentication and tamper-resistance technologies built into HTTPS.) The default behavior for HTTPS policy files is in fact secure="true"; in order to override it, HTTPS policy files must explicitly declare secure="false", which Adobe recommends against.
Starting with version 9,0,115,0, Flash Player supports the secure="true" declaration in a new situation: in socket policy files from local sockets (i.e., from socket servers running on the same computer as Flash Player). When secure="true" is declared in an <allow-access-from> directive from a local socket policy file, SWF files from the domain or domains listed in that <allow-access-from> directive are permitted to connect to the allowed ports only if those SWF files are retrieved over HTTPS. Here is an example of a local socket policy file using this feature:

<cross-domain-policy> <allow-access-from domain="my.com" secure="true" to-ports="3050"/> </cross-domain-policy>

The only permission granted by such a policy file would be for a SWF file loaded over HTTPS from my.com to connect to port 3050. A SWF file loaded over HTTP from my.com would not be granted any permissions by this particular policy file.
The domains listed with secure="true" declarations are called secure domain lists.
Secure domain lists in local socket policy files are potentially useful for hybrid online/offline applications. Imagine that an application installs a native local component on users' machines, provides an online SWF interface via a web browser, and uses an ActionScript socket connection to communicate between the web SWF and the local component. In this scenario, the application developer would want to ensure that only their particular SWF files could communicate with the local component; otherwise, other SWF files on the web could potentially commandeer the native functionality of the local component. If the developer of this application posted all their SWF files to an HTTPS server on my.com, and served the socket policy file shown above from their local component, including the secure="true" declaration, this would prevent all but the application developer's own SWF files from connecting to the local component.
In order to take advantage of secure domain lists, local application developers must make sure their users have a Flash Player of at least version 9,0,115,0 installed. Otherwise, the secure="true" directive will be silently ignored.
Adobe recommends against using the secure="true" directive in socket policy files that are not served from local sockets (i.e., from socket servers running on the same computer as Flash Player). Flash Player will generate warnings in the policy file log if it finds secure="true" in a socket policy file that does not appear to have come from the local host. Flash Player will in fact honor secure="true" in non-local socket policy files, but only because it is not possible for Flash Player to detect with 100% reliability whether a socket connection is to the local host or not.
It is important to understand why it may be insecure to declare secure="true" in a socket policy file that does not come from the local host. As of this writing, Flash Player does not provide secure socket-level networking—there is no equivalent of HTTPS at the socket level yet (this support would be called SSL/TLS at the socket level). This means that socket policy files are always retrieved without the benefits of SSL/TLS. Socket policy files are thus vulnerable to man-in-the-middle attacks, where a third party on the network between client and server can change the contents of a network conversation without either client or server knowing that this has occurred. So, if a socket policy file from a non-local socket declares secure="true", a man-in-the-middle attacker can simply substitute secure="false". Declaring secure="true" in a non-local socket policy file therefore may provide a false sense of security that Flash Player cannot reliably enforce. (It is for this same reason that secure="true" is not permitted in HTTP policy files either—only in HTTPS policy files.) However, if secure="true" is declared in a local socket policy file, there is no off-host networking involved in transferring the socket policy file from its server to Flash Player. This is why secure="true" makes sense in local socket policy files.

Address-based socket policy file scopes

One important change to socket policy files in Flash Player 9,0,115,0 is invisible to ActionScript and requires no changes in content.
Prior to version 9,0,115,0, if Flash Player found a socket policy file from some domain a.com, that policy file could be used to authorize any socket connection to a.com. This left open the possibility that, due to a DNS rebinding, a.com might have referred to a different host at the time of the socket connection than it did at the time of the policy file retrieval, thus allowing one host to specify the permissions for a different host.
Starting with version 9,0,115,0, Flash Player always checks that, before a socket connection is allowed, a socket policy file has been retrieved from the same IP address as the host to which the connection is being made.

Socket policy file behaviors exposed to server hosts

Flash Player 9,0,115,0 may cause hosts to see some slightly different traffic than they are accustomed to, and Flash Player contains some accommodations for the differences. The differences include:
  • When a SWF file attempts to make a socket connection, even to its own domain, Flash Player will first attempt to contact port 843 to see if the host is serving a socket master policy file.
  • When an ActionScript 1.0 or ActionScript 2.0 SWF file attempts to make an XMLSocket connection, and permission for the connection has not already been obtained from a socket master policy file or a policy file whose location has been specified with loadPolicyFile, Flash Player will attempt to retrieve a policy file from the same port as the main connection before it attempts the older behavior of looking for an HTTP policy file on port 80 of the same domain as the main connection. (The default policy file checks for ActionScript 3.0 socket connections are not changing; checking the same port as the main connection has always been the default for ActionScript 3.0 socket connections.)
For any socket policy file that Flash Player requests automatically, if the host does not either answer or reject the connection attempt within 3 seconds, Flash Player will abort the attempt, assume there is no policy file at that location, log a warning in the policy file log, and move on to the next stage of socket policy file authorization. This timeout behavior helps protect Flash Player against waiting too long for a socket connection that will never succeed, but it does somewhat reduce Flash Player's robustness to temporary network outages, slow connections, heavily loaded servers, etc. If you know that a certain socket policy file, which Flash Player would otherwise automatically request, is available, you can avoid the 3-second timeout behavior by explicitly calling loadPolicyFile from your SWF file, providing the URL of that socket policy file. This will cause Flash Player to be patient in its attempt to retrieve that policy file, avoiding timeouts until the TCP timeout of 2 minutes expires. For example, if you know that the master socket policy file on port 843 of mysite.com is available, and you are seeking to avoid 3-second timeouts while Flash Player attempts to retrieve it, you could call loadPolicyFile("xmlsocket://mysite.com:843") from ActionScript.

Firewall traversability and socket policy files

A disadvantage of socket master policy files is that they require clients to be able to access port 843. Some users behind restrictive outbound firewalls may not have this capability.
Adobe believes that outbound firewalls have good reason to permit access to port 843: this enables Flash Player to help enforce security policies declared by host administrators, and the effort to standardize the purpose of port 843 should ensure that other types of servers are not bound to that port. However, socket master policy files are a new concept, and it will take time for firewall rule sets to incorporate access to port 843. This is also a matter that must be left to the discretion of individual firewall administrators, who may choose not to permit access to port 843. We will show why this should generally not cause serious problems for Flash Player users or for server hosts.
Lack of access to port 843 has the following consequences:
  1. Socket meta-policies will not be honored; any socket policy file will be allowed to permit access (though only by users behind the restrictive firewall).
  2. For Phase 1 versions of Flash Player, if a host is using the existence of a socket master policy file to signal opt-in to the new rules, that opt-in will not be seen by Flash Player. Users behind the restrictive firewall may still be vectors for DNS rebinding attacks that target socket ports greater than or equal to 1024.
  3. If a host is relying on its socket master policy file to authorize socket connections, then users behind the restrictive firewall will not be able to establish those connections.
These consequences may sometimes cause minor problems, but Adobe does not believe they should cause major problems. Here is why:
  • If a user is behind a restrictive firewall and cannot see port 843, they may not be able to see the target port either, which moots all three disadvantages listed above. There are a few ports that firewalls almost always allow, such as 80 for HTTP, but many ports will be off-limits, including probably most or all ports greater than or equal to 1024. This last point especially means that issue (2) is unlikely to occur very often.
  • For DNS rebinding attacks that target servers behind firewalls, access to port 843 is not likely to be a problem, because it would be unusual for a firewall to block access to any ports on servers inside the firewall.
  • For issue (1) above, anyone wishing to circumvent a socket meta-policy (which is itself probably somewhat unusual) is unlikely to find it attractive that their only available vectors are users behind restrictive outbound firewalls.

Why action is needed

There are two reasons to serve a socket policy file (probably a socket master policy file from port 843) on your host:
  • If you maintain any SWF files that make socket connections to your host, and they currently connect without a socket policy file (because they are connecting to their own domain, or because they rely on an HTTP policy file), such SWF files are not able to connect for users with a Phase 1.5 version of Flash Player (9,0,124,0 or later).
  • Whether or not your host deliberately serves socket policy files, or even any Flash Player compatible content at all, malicious parties may attempt to make unauthorized socket-level connections to your host using a DNS rebinding attack. Opting into the strict socket rules by serving a socket master policy file helps ensure that users of Phase 1 versions of Flash Player cannot be used as vectors for such an attack.
The workflow for configuring socket policy files takes you through the steps necessary to serve a master socket policy file from your host.

Workflows


The following procedures should help you quickly address any issues relating to the policy file changes in Flash Player 9,0,115,0, Flash Player 9,0,124,0, or Flash Player 10.0. Adobe recommends using these sections as a reference after reading the corresponding introductory sections earlier in this article.

Using logging

Flash Player 9,0,115,0 introduces policy file logging, a new feature. The policy file log shows messages for every event relating to policy files—attempts to retrieve them, successes and failures in processing them, the fates of the requests that depend on them. A complete reference to the messages you will find in the policy file log can be found in Appendix B.
To use the policy file log:
  1. Install a Debug version of Flash Player 9,0,115,0 or later. You can use any type of Flash Player: ActiveX, Plug-In, or Standalone. You can get the Debug version of Flash Player from the Flash Player Support Center's Downloads page.
  2. Find the location of your mm.cfg configuration file. This is a general debugging configuration file that Debug versions of Flash Player read on startup. mm.cfg is located in your "home" directory; here are some typical examples:Windows: C:\Documents and Settings\username
    Windows Vista: C:\Users\username
    Macintosh: /Users/username
    Linux: /home/username
  3. Create mm.cfg if it does not exist, then add one or both of the following lines to it:

PolicyFileLog=1 # Enables policy file logging PolicyFileLogAppend=1 # Optional; do not clear log at startup

If PolicyFileLogAppend is not enabled, each new root-level SWF will clear the log file. If PolicyFileLogAppend is enabled, the previous contents of the log file will always be kept, and the log file will grow at the end.
If many different root-level SWF files are loaded during your testing, you will probably want to enable PolicyFileLogAppend. However, if you enable PolicyFileLogAppend, you will probably need to manually rename or delete the log file from time to time, since otherwise it will grow enormous, and it will be difficult to determine where previous output ends and new output begins.
  1. Find the location where policyfiles.txt, the policy file log, will be written. It will not necessarily exist yet; Flash Player will create it the next time a SWF file is run. You can find policyfiles.txt in the following locations:Windows: C:\Documents and Settings\username\Application Data\Macromedia\Flash Player\Logs
    Windows Vista: C:\Users\username\AppData\Roaming\Macromedia\Flash Player\Logs
    Macintosh: /Users/username/Library/Preferences/Macromedia/Flash Player/Logs (it is unconventional for a program to write log files to the Preferences directory, but that is in fact the case)
    Linux: /home/username/.macromedia/Flash_Player/Logs
  2. Run any SWF file in Flash Player, then close Flash Player.
  3. You should now see policyfiles.txt in the Logs directory. Verify that it has a recent modification time. Open it and verify that at least one message appears ("Root-level SWF loaded"). If so, policy file logging is working.
  4. Visit whatever SWF content you need to test. Run the content through any scenarios that will cause it to encounter policy files. Close Flash Player when you are done.
  5. Read policyfiles.txt for information about what occurred with policy files during your test run. If you see messages that aren't clear, see Appendix B.
  6. If you find useful information in policyfiles.txt that you need to keep for future reference, rename the log file to something other than policyfiles.txt, or move it to another directory, so that Flash Player will not overwrite the log when it next runs.

Finding and fixing immediate issues

As described in the section on immediate strictness, a few of the changes in Flash Player 9,0,115,0 will affect SWF content immediately, possibly causing undesired behavior in a small percentage of SWF files. If you maintain SWF content, then as soon as possible, you should do the following:
  1. Install a Debug version of Flash Player 9,0,115,0 or later. You should use a browser-based version of Flash Player, to simulate your production environment. You can use the ActiveX player or a Plug-In player; either should produce identical results. You can get the Debug version of Flash Player from the Flash Player Support Center's Downloads page.
  2. For your testing, try to use a browser that is recent enough to support HTTP response headers for Flash Player, as this will provide a more complete test of immediate issues. See Appendix A for details on which browsers meet this requirement.
  3. Enable policy file logging as shown above.
  4. Test your SWF content. Try to exercise as much of your content as you can.
  5. After you have tested your content, close Flash Player and examine your policy file log. Look for messages in the policy file log that include the label [strict]. This label is an indication of a potential immediate issue.
  6. Make a note of any aspect of your content that does not work as you expect it to—such cases may indicate problems that you will need to debug. You should try to correlate such cases with the contents of the policy file log, and you should try to verify that such cases really do behave differently in Flash Player 9,0,115,0, by retesting these cases with an older version of Flash Player. Any cases that do not behave differently between older and newer versions of Flash Player are not issues related to policy file strictness.If you need to uninstall Flash Player to downgrade to an older version, use the Flash Player Uninstaller. Due to security features in the ActiveX control, you will need to run the uninstaller using the "/clean" command:
    uninstall_flash_player.exe /clean
    To obtain an earlier version of Flash Player to test with, visit this TechNote: Archived Flash players available for testing purposes.
  7. Classify any [strict] messages that you find in your policy file log. These messages can include:
    • Ignoring policy file at (URL) due to incorrect syntax. A malformed policy file is being ignored, possibly causing cross-domain access to be denied. See this log message explanation and the section on malformed policy files.
    • Policy file requested from (URL) redirected to (URL); will use final URL in determining scope. A policy file redirect may be changing the scope of a policy file, possibly causing cross-domain access to be denied. See this log message explanation and the section on within-domain redirects.
    • Ignoring policy file at (URL) due to bad Content-Type '(content-type)'. An HTTP policy file has been received without a required textual Content-Type declared by the server, and will be ignored, possibly causing cross-domain access to be denied. See this log message explanation and the section on the Content-Type whitelist.
    • Ignoring policy file at (URL) due to missing Content-Type. An HTTP policy file has been received without a required textual Content-Type declared by the server, and will be ignored, possibly causing cross-domain access to be denied. See this log message explanation and the section on the Content-Type whitelist.
    • Local socket connection forbidden to host (host) without a socket policy file. SWF content attempted to connect to a socket that is apparently on the local host, but did not refer to the host as localhost. Strict socket rules are being applied immediately, and access is denied. See this log message explanation and the section on immediately strict sockets.

Configuring URL meta-policies

As described in the section on meta-policies, there are two reasons you should choose and declare a meta-policy on an HTTP, HTTPS, or FTP server:
  • If your server serves any policy files, and you do not declare a meta-policy permitting those policy files, then they will stop working for users who install a Phase 2 version of Flash Player (Flash Player 10.0 or later). Configuring a meta-policy ensures that policy files from your server will smoothly transition for users of Phase 2 versions of Flash Player.
  • Whether or not your server deliberately serves policy files, or even any Flash Player compatible content at all, anyone with the ability to create text files on your server can create a policy file, which may then be used to obtain data that is private to your server, your users, or both. Declaring a meta-policy helps ensure that the default meta-policy of all is not applied for users of Phase 1 versions of Flash Player.
If you are operating a site on a server that you do not administer, be sure to read the section on considerations for users of hosted services.
To configure a meta-policy on a server that you control:
  1. Familiarize yourself with the basics of meta-policies.
  2. Read the list of available meta-policies. Decide which is most appropriate for your server. Some guidelines for HTTP and HTTPS servers (FTP servers are analogous, but slightly different in the details):
    • If you do not expect your server to serve any policy files, choose a meta-policy of none.
    • If your server serves user-defined content, choose a meta-policy strategy that makes it impossible for users to create policy files. This basically means not choosing all, and if you choose by-content-type, this helps ensure that the criteria for assigning a Content-Type of text/x-cross-domain-policy are impossible for user-defined content to satisfy.
    • If you want it to be easy for anyone with upload privileges to your server to be able to create a policy file, choose a meta-policy of all.
    • If you want only a single, master policy file on your server, choose a meta-policy of master-only, and help ensure that only trusted personnel can alter the contents of the master policy file at /crossdomain.xml.
    • If you want to permit non-master policy files at individually approved locations, choose a meta-policy of by-content-type, and assign a Content-Type of text/x-cross-domain-policy for individually specified locations. Here is an example of an Apache configuration snippet to achieve this:

<Location /crossdomain.xml> ForceType text/x-cross-domain-policy </Location> <Location /another/place/crossdomain.xml> ForceType text/x-cross-domain-policy </Location>

  • If you want to permit non-master policy files at a predetermined set of locations, for example any file with the name crossdomain.xml, choose a meta-policy of by-content-type, and assign a Content-Type of text/x-cross-domain-policy for any location that meets your criteria. Here is an example of an Apache configuration snippet to achieve this:

<Files crossdomain.xml> ForceType text/x-cross-domain-policy </Files>

  • If your server hosts scripts that you do not want to permit to generate policy files, add the special meta-policy none-this-response to the output of any such scripts. Here is an example of an Apache configuration snippet to achieve this:

<Location /cgi-bin> Header set X-Permitted-Cross-Domain-Policies none-this-response </Location>

  1. Decide whether you will declare your meta-policy using the master policy file or an HTTP response header. (FTP servers must use the master policy file.) Read the section on how to specify meta-policies for advantages and disadvantages of each mechanism.
    1. If you are declaring your meta-policy in the master policy file, write a <site-control> tag into the master policy file at /crossdomain.xml. Here is an example:

<cross-domain-policy> <site-control permitted-cross-domain-policies="by-content-type"/> </cross-domain-policy>

  1. If you are declaring your meta-policy in an HTTP response header, configure your server to return the appropriate X-Permitted-Cross-Domain-Policies header. Here is an example of an Apache configuration snippet to achieve this:

<Location /> Header set X-Permitted-Cross-Domain-Policies master-only </Location>

Special considerations for users of hosted services

If you operate a site on a hosted service, or a server that you otherwise don't entirely control, and you serve policy files:
  • If anything stops working with Flash Player 9,0,115,0, follow the workflow for immediate issues. You should be able to correct most problems you find without your server administrator having to do anything.
  • Now that Flash Player 10.0 has been released, if you use non-master policy files, you will need to establish a meta-policy—or else your non-master policy files will not work for users of Flash Player 10.0 and later. You will probably need your server administrator to adopt a service-wide change that will solve the problem for you and any other customers of the service. It may help to contact your service provider and point them at this article so they can consider making changes.
  • If you want to establish a meta-policy sooner (for example, in order to defend your site against rogue policy files), or if your service provider has not made any service-wide fixes, you can fix the problem yourself if you have access to the root directory of your site. Follow the workflow for configuring an URL meta-policy. Your options will probably be limited, since you probably won't be able to affect HTTP response headers. Reasonable options are:
Use the following if you only want to use a single policy file on your site:

<site-control permitted-cross-domain-policies="master-only"/>

Use the following if you don't want any restrictions on the creation of policy files on your site:

<site-control permitted-cross-domain-policies="all"/>

Configuring socket policy files

As described in the section on socket policy files, there are two reasons you may want to serve a socket master policy file from port 843 on your host:
  • If you maintain any SWF files that make socket connections to your host, and they currently connect without a socket policy file (because they are connecting to their own domain, or because they rely on an HTTP policy file), such SWF files cannot connect for users who install a Phase 1.5 version of Flash Player (9,0,124,0 or later). Serving a socket master policy file helps ensure that socket connections to your host will smoothly transition for users of Phase 1.5 versions of Flash Player. (If you are not sure whether certain SWF content makes socket connections to your host without a socket policy file, test your content while using the policy file log, and look for warnings about deprecated socket configurations.)
  • Whether or not your host deliberately serves socket policy files, or even any Flash Player compatible content at all, malicious parties may attempt to make unauthorized socket-level connections to your host using a DNS rebinding attack. Opting into the strict socket rules by serving a socket master policy file helps ensure that users of Phase 1 versions of Flash Player cannot be used as vectors for such an attack.
Serving a socket master policy file is not the only way to address these issues, but it is the easiest and most consistent way to address them. If you find for some reason that serving a master socket policy file from port 843 is impractical, you can address these issues on a port-by-port basis, serving non-master socket policy files from individual ports. But a socket master policy file should address an entire host at once.
To serve a socket master policy file:
  1. Review the list of available socket meta-policies, and decide what socket meta-policy is appropriate for your host.
  2. Write a socket master policy file, declaring your desired socket meta-policy and any permissions that you wish to grant. Here is an example:

<cross-domain-policy> <site-control permitted-cross-domain-policies="master-only"/> <allow-access-from domain="mysite.com" to-ports="999,8080-8082"/> </cross-domain-policy>

Note: Setting up a socket policy file server provides a brief background on the latest Flash Player socket functionality, as well as sample code for creating socket policy file servers in testing environments.
  1. Run the socket policy file server on your host, providing it with the socket master policy file you have written.

Appendix A: Browser dependencies


Two of the security changes introduced in Flash Player 9,0,115,0 can only be enforced when Flash Player has access to HTTP response headers. When Flash Player is running inside a browser, this is not always possible, as some browsers do not provide HTTP response headers to Flash Player.
The two features that require HTTP response header access are as follows:
  • The Content-Type whitelist: When Flash Player has access to HTTP response headers, it rejects HTTP policy files that have non-textual Content-Type values, as well as those that have no Content-Type at all. When Flash Player does not have access to HTTP response headers, it accepts HTTP policy files regardless of their Content-Type.
  • HTTP meta-policies: When Flash Player has access to HTTP response headers, it honors the HTTP meta-policies declared in master HTTP policy files and X-Permitted-Cross-Domain-Policies response headers. When Flash Player does not have access to HTTP response headers, all HTTP servers are assumed to have a meta-policy of all.
Table 1 shows the browsers that Adobe has tested for HTTP response headers.
Table 1. Browsers tested for HTTP response headers
Browser Versions that do not provide headers Versions that provide headers
Internet Explorer (Windows) 5.5 and later
Mozilla Firefox 2.0.0.3 and earlier 2.0.0.4 and later
Safari (Macintosh) 2.x and earlier 3.x and later

Appendix B: Log message reference


This section lists messages that you may find in the policy file log, crossdomain.xml. As detailed in the section on logging, some of these messages are prefixed with the designation [strict], meaning that they indicate immediate issues in Phase 1, rather than warnings of impending issues for Phase 2. See the section on immediate issues.

SWF loading



Root-level SWF loaded: (URL).

A top-level SWF file from the indicated URL has been loaded. This is usually the first message in the log, and if you have enabled append-mode logging, you may see it more than once. This message helps you put later messages in context, knowing which SWF file began the Flash Player session that generated the log.

Requests that depend on policy files



Searching for <allow-access-from> in policy files to authorize data loading from resource at (URL) by requestor from (URL).

A SWF file has attempted an operation that requires data-loading permission from a policy file, and a search will now begin for such a policy file. The URLs in this message tell you where the SWF file was loaded from and what resource the SWF file requested.

Searching for <allow-http-request-headers-from> in policy files to authorize header sending to URL (URL) by requestor from (URL).

A SWF file has attempted an HTTP operation with custom request headers, which requires header-sending permission from a policy file, and a search will now begin for such a policy file. The URLs in this message tell you where the SWF file was loaded from and where the SWF file is attempting to send custom HTTP request headers.  See the article Understanding Flash Player 9 April 2008 Security Update compatibility for details regarding header-sending permissions.

Request for resource at (URL) by requestor from (URL) is permitted due to policy file at (URL).

A SWF file has attempted an operation that requires permission from a policy file, and a policy file was found that permitted the operation. The URLs in this message tell you what resource the SWF file requested, where the SWF file was loaded from, and which policy file granted the permission. Note that it is possible that multiple policy files would have permitted the operation, but only one of them is mentioned in this type of log message.

Request for resource at (URL) by requestor from (URL) has failed because the server cannot be reached.

A SWF file has attempted to make a socket connection, but the socket server is unreachable at the moment. The URLs in the message tell you what server and port the SWF file attempted to connect to, and where the SWF file was loaded from. For security reasons, In ActionScript, the SWF file will receive exactly the same error indication as if the server were reachable, but no permission had been granted for the operation; in ActionScript 3.0, this indication is a securityError event.

Request for resource at (URL) by requestor from (URL) is denied due to lack of policy file permissions.

A SWF file has attempted an operation that requires permission from a policy file, but no valid policy file was found that permitted the operation. The URLs in the message tell you what resource the SWF file requested, and where the SWF file was loaded from.
This message may occur for many reasons; it indicates a required step that failed to occur, rather than a particular problem that did occur. In some situations, there will be other, more specific messages that come before this message, and they may give you more information before this final failure message. Among the possible causes:
  • No applicable policy file exists to authorize the operation. If you control the server where the resource resides, you may need to add a policy file on that server. Otherwise, you may need to proxy the operation through the SWF file's own server.
  • An applicable policy file exists, but the server where both the policy file and the resource are located is unreachable at the moment. Try pinging the server host to see if it appears to be reachable. If the SWF file called allowDomain to load an applicable policy file, this message will generally be preceded by the message "Failed to load policy file from URL ". Note that, for a socket connection, you should see the previously listed message instead for this situation "...because the server cannot be reached" , but for any other request, you should see this message.
  • An applicable policy file exists, but it does not grant permission for access by the SWF file's particular domain. Try getting the SWF file's domain listed in an existing policy file, moving the SWF to a domain authorized by an existing policy file, adding a new policy file, or proxying the request through the SWF file's own server.
  • An applicable policy file exists, but it is in a non-default location, and the SWF file attempting the operation did not call allowDomain to inform Flash Player of the policy file's location. Try calling allowDomain from the SWF file.
  • An applicable policy file exists, but it is invalid for some reason. In this case, this message should be preceded by a more specific message that shows the policy file URL and the problem that was found; see the section on messages about failures to load policy files.

Phase 1 deprecated configurations



Domain (domain) does not specify a meta-policy. Applying default meta-policy 'all'. This configuration is deprecated.

This is a very common message that you will see any time Flash Player obtains a policy file from an HTTP, HTTPS, or FTP server that has not yet specified a meta-policy. In Phase 1, this is only a warning reminding you that this server needs to choose a meta-policy by the time a Phase 2 Flash Player Flash Player 10.0 is released, or else Flash content might stop working as intended. See the section on meta-policies.

Phase 1.5 forbidden configurations



SWF from (URL) may not connect to a socket in its own domain without a policy file.

A SWF file initiated a socket connection to its own domain, and no policy file was found to authorize the operation. Strict policy file rules require permission from a socket policy file to make any socket connection, even to a SWF file's own domain. See the section on socket policy files. The recommended action is to add a socket master policy file server on port 843.

Platform warnings



HTTP response headers not available on this platform. Strict policy file rules cannot be enforced.

Flash Player made an HTTP request, and was not able to see HTTP response headers. As detailed in the section on meta-policies, some of the new strict policy file rules require that Flash Player be able to access HTTP response headers, for example so that Content-Type and X-Permitted-Cross-Domain-Policies information from the server is known. Any meta-policy information from servers will be unavailable. For a list of precise effects, and a list of browser configurations where this behavior is expected, see the browser dependency appendix. This warning should not indicate that previously working content will stop working; rather it indicates that the new, stricter rules cannot be enforced, which may result in reduced security for servers and users. The latest versions of most popular browsers enable Flash Player to see HTTP response headers, so upgrading your browser will usually eliminate this message.

Successful policy file loading



Policy file accepted: (URL).

A policy file from the indicated URL has successfully been loaded, has passed all validity checks, and has been accepted by Flash Player. Any <allow-access-from> directives in the policy file will now take effect. This policy file might have been loaded because a SWF file explicitly requested it by calling loadPolicyFile, or it may have been located automatically by Flash Player's default policy file rules.

Warnings while loading policy files



Policy file requested from (URL) redirected to (URL); will use final URL in determining scope.

Flash Player requested an HTTP policy file, and the original request was redirected to a different location in the same domain. As detailed in the section on redirects, beginning with version 9,0,115,0, Flash Player has changed its interpretation of HTTP policy files that are obtained from URLs that are redirected within the same domain. Prior to version 9,0,115,0, Flash Player would treat redirected policy files as though they had originated from the URL that was initially requested. Since version 9,0,115,0, however, Flash Player has treated redirected policy files as though they had originated from the final, post-redirect URL. This difference may affect the scope of such a policy file—the set of resources to which it allows access. If you see this warning, check further down the log to see if all requests that depend on this policy file are in fact still succeeding. If they are not, you may need to add a non-redirected policy file at the originally requested URL. You can also put a non-redirected policy file at a different URL, which may require adding or changing loadPolicyFile calls in SWFs to use the new policy file URL. In any case, you should consider avoiding redirecting policy file requests, since they tend to make policy file debugging more difficult.

Domain (domain) does not explicitly specify a meta-policy, but Content-Type of policy file (URL) is 'text/x-cross-domain-policy'. Applying meta-policy 'by-content-type'.

Flash Player has retrieved an HTTP policy file from the indicated URL, and has looked for a meta-policy in HTTP headers and in the master policy file for this domain, but found no meta-policy. However, the policy file was returned with a Content-Type of text/x-cross-domain-policy, which is an indication that the administrator of this server has deliberately made changes to support meta-policies. Since the official Content-Type for HTTP policy files is in use in this domain, Flash Player is assuming a meta-policy of by-content-type for this domain. See the section on specifying meta-policies. It is recommended that, for clarity, this server should explicitly declare a meta-policy, rather than relying on this implicit mechanism. This can be done using a <site-control> tag in the master policy file, or using the HTTP response header X-Permitted-Cross-Domain-Policies.

Timeout on (URL) (at 3 seconds) while waiting for socket policy file.

Flash Player requested a socket policy file by default either from port 843 or from the same port as a connection attempt , and the socket policy file request resulted neither in success nor in a detectable failure; the server that Flash Player was attempting to contact did not respond within 3 seconds. This might be due to a server not expecting to receive policy file requests, or due to network problems between client and server. When Flash Player requests socket policy files by default, it waits only 3 seconds for a response, in order to avoid tying up server resources or delaying client-side notifications of problems; see the section on socket policy files. This warning usually means one of two things: first, that you need to set up a socket policy file server on port 843, which is the first location that Flash Player checks by default; or second, that you need to provide more explicit guidance to Flash Player from ActionScript by calling loadPolicyFile to indicate the location of a socket policy file. When you call loadPolicyFile rather than allowing Flash Player to check locations by default, Flash Player will wait as long as necessary for a response from a socket policy file server, rather than timing out after 3 seconds. This may help your application's reliability in marginal network conditions. It can thus be helpful to call loadPolicyFile even for a default socket policy file location—simply to request that Flash Player wait patiently for the socket policy file server to respond.

Failures to load policy files



Failed to load policy file from (URL).

Flash Player attempted to retrieve a policy file from the indicated URL, and encountered an error. This might be because of network problems, because a server is not running at this location, or because a server is running but did not recognize the location requested (e.g., HTTP 404 error). This message appears as an error for locations that were passed to loadPolicyFile, as a warning for HTTP/HTTPS/FTP locations that Flash Player has requested by default, and not at all for socket policy file locations that Flash Player has requested by default.

Ignoring policy file at (URL) due to incorrect syntax.

Flash Player retrieved a policy file from the indicated URL, but found that the policy file contained invalid syntax. The policy file has been ignored and will not authorize any operations. See the section on malformed policy files for an explanation of why proper syntax is enforced, and what common kinds of incorrect syntax can result in this error. You (or whoever maintains this policy file) should fix the incorrect syntax as soon as possible. This rule has been enforced since even before Phase 1—starting with Flash Player version 9,0,47,0.

Ignoring policy file at (URL) due to bad Content-Type '(content-type)'.

Flash Player retrieved an HTTP policy file from the indicated URL, but found that the HTTP Content-Type of the policy file was not consistent with normal policy files. To help protect this server, this policy file has been ignored and will not authorize any operations. See the section on the Content-Type whitelist for details. You (or whoever maintains this policy file) should change the unsuitable Content-Type as soon as possible.

Ignoring policy file at (URL) due to missing Content-Type.

Similar to the above error, but Flash Player found no Content-Type at all.

Ignoring policy file requested from (URL) because a cross-domain redirect to (URL) occurred.

Flash Player attempted to retrieve a policy file from the first URL indicated, but was redirected to the second URL indicated, which is in a different domain. This is forbidden, and always has been. This policy file has been ignored and will not authorize any operations.

Ignoring policy file at (URL) due to meta-policy '(meta-policy)'.

Flash Player retrieved a policy file from the indicated URL, but also found the indicated meta-policy on that policy file's server, either in a <site-control> tag in the master policy file, or in an X-Permitted-Cross-Domain-Policies HTTP header. The indicated meta-policy expressly forbids this file from being valid as a policy file, so this policy file has been ignored and will not authorize any operations. This message by itself does not necessarily indicate a problem, but if you intended for this policy file to be valid, you may need to change its Content-Type or its FTP filename, or you may need to change the meta-policy.

Ignoring policy file at (URL) due to X-Permitted-Cross-Domain-Policies: none-this-response.

Flash Player retrieved an HTTP policy file from the indicated URL, but also found the HTTP response header X-Permitted-Cross-Domain-Policies: none-this-response, which is an indication from the server that this HTTP response is not permitted to be used as a policy file. This is usually used to prevent server scripts from generating policy files; see the section on socket meta-policies. This policy file has been ignored and will not authorize any operations. If you control this server, and you need this policy file to authorize operations, you may need to change your server configuration to avoid generating a none-this-response header.

Ignoring socket policy file at (URL) because it is too large. Socket policy files may not exceed 20 kilobytes.

Flash Player began the process of retrieving a socket policy file from the indicated location, but aborted the download because too much data was received. This policy file has been ignored and will not authorize any operations. This is to help protect the server; Flash Player does not expect policy files to be large, and aborts large policy file downloads to avoid loading the server in what seems to be an error situation. If this is a valid socket policy file, try reducing its size so that it is smaller than 20K.

Meta-policy misconfigurations



Unrecognized meta-policy in HTTP header from (URL): (meta-policy).

An invalid meta-policy was specified in an X-Permitted-Cross-Domain-Policies HTTP header from the indicated URL. It has been ignored. This is a misconfiguration that should be corrected on the server. See the section on meta-policies.

Unrecognized meta-policy in policy file from (URL): (meta-policy).

An invalid meta-policy was specified in a <site-control> tag in a master policy file at the indicated URL. The meta-policy has been ignored, but the policy file itself has not necessarily been ignored (there should be a further error message if it is). You (or whoever controls the content of this policy file) should correct the <site-control> tag so that it contains a valid meta-policy name. See the section on meta-policies.

Conflicting meta-policy in HTTP header from (URL): (meta-policy).

Multiple conflicting meta-policies were found in one or more X-Permitted-Cross-Domain-Policies HTTP header from the indicated URL. The entire meta-policy string is shown, as received from the server. If multiple X-Permitted-Cross-Domain-Policies headers were provided, they have been coalesced here into a single header with semicolon-separated values, as is normal for HTTP headers. Flash Player has applied the most restrictive meta-policy that was found in this string. This is a misconfiguration that should be corrected on the server. It is generally not legal to provide multiple meta-policies in HTTP response headers; the only exception is none-this-response, which may be combined with any other meta-policy, but only affects the individual HTTP response where it is found. See the section on meta-policies.

Meta-policy (meta-policy) in HTTP header from (URL) conflicts with previously established meta-policy (meta-policy).

Flash Player found an inconsistent declaration of meta-policy from the server of the indicated URL. Flash Player has applied the most restrictive meta-policy that was found from this server, but if a less restrictive meta-policy was found first, the less restrictive meta-policy may have been in effect for some time until the conflict was found later. This is a misconfiguration that should be corrected on the server. See the section on meta-policies.

Meta-policy (meta-policy) in policy file from (URL) conflicts with previously established meta-policy (meta-policy).

Similar to the above error, but the conflicting meta-policy file was discovered in a <site-control> tag rather than an HTTP header.

Ignoring <site-control> tag in policy file from (URL). This tag is only allowed in master policy files.

Flash Player found a <site-control> tag in a policy file, from the indicated URL, that was not a master policy file. The <site-control> tag has been ignored, but the policy file itself has not necessarily been ignored (there should be a further error message if it is). The <site-control> tag is only legal in master policy files (/crossdomain.xml on an HTTP/HTTPS/FTP server, or a socket policy file from port 843). You (or whoever controls this server) should remove the <site-control> tag from this policy file, and make sure that this server declares a valid meta-policy by some other means (a master policy file or an HTTP response header). See the section on meta-policies.

Ignoring <site-control> tag in policy file from (URL). The 'by-content-type' meta-policy is only applicable to HTTP sites.

Flash Player found a <site-control> tag in a master policy file from the indicated URL, specifying the meta-policy by-content-type in a policy file that was not from an HTTP or HTTPS server. The <site-control> tag has been ignored, but the policy file itself has not necessarily been ignored (there should be a further error message if it is). The by-content-type meta-policy is only valid for HTTP and HTTPS servers, since it relies on Content-Type headers, which are not available from FTP servers or socket servers. You (or whoever controls this server) should choose a valid meta-policy for this server. See the section on meta-policies.

HTTP header from (URL) specifies meta-policy 'by-ftp-filename', which is only applicable to FTP, not HTTP.

Flash Player found an X-Permitted-Cross-Domain-Policies HTTP response header while retrieving a policy file from the indicated URL, specifying the meta-policy by-ftp-filename. The X-Permitted-Cross-Domain-Policies header has been ignored, but any policy file at this URL has not necessarily been ignored (there should be a further error message if it is). The by-ftp-filename meta-policy is only valid for FTP servers. You (or whoever controls this server) should choose a valid meta-policy for this server. See the section on meta-policies.

Ignoring <site-control> tag in policy file from (URL). The 'by-ftp-filename' meta-policy is only applicable to FTP sites.

Similar to the above error, but the invalid meta-policy was discovered in a <site-control> tag rather than an HTTP header.

Ignoring <site-control> tag in policy file from (URL). The 'none-this-response' meta-policy is only allowed in the X-Permitted-Cross-Domain-Policies HTTP response header.

Flash Player found a <site-control> tag in a master policy file from the indicated URL, specifying the meta-policy none-this-response in a policy file. The <site-control> tag has been ignored, but the policy file itself has not necessarily been ignored (there should be a further error message if it is). The none-this-response meta-policy is only valid in the X-Permitted-Cross-Domain-Policies HTTP response header; it is only intended as a mechanism by which HTTP servers can prevent server scripts from generating policy files. You (or whoever controls this server) should choose a valid meta-policy for this server. See the section on meta-policies.

Policy file at (URL) invalidates its own <allow-access-from> directives by declaring the meta-policy 'none'.

Flash Player found a <site-control> tag in a master policy file from the indicated URL, specifying the meta-policy none, but also found <allow-access-from> directives in the same policy file. The declared meta-policy none should be enforced for this server; it means that no policy files are permitted on this server, including the master policy file itself. The master policy file is permitted to exist only to declare the meta-policy. Since the master policy file contains <allow-access-from> directives, they will be ignored. You or whoever controls this server should remove the <allow-access-from> directives from this policy file. See the section on meta-policies.

Policy file misconfigurations



Ignoring 'secure' attribute in policy file from (URL). The 'secure' attribute is only permitted in HTTPS and socket policy files.

Flash Player found a policy file, from the indicated URL, that contained one or more <allow-access-from> directives that specified the attribute secure="true" or secure="false", but this is neither an HTTPS policy file nor a socket policy file. The secure attribute has been ignored, but the <allow-access-from> directive is not necessarily being ignored (there will be a further error message if it is). The secure attribute, which instructs Flash Player whether to require strong authentication (i.e., HTTPS URLs only) of the domain named in an <allow-access-from> directive, is only legal in HTTPS policy files and socket policy files. This rule has been enforced since policy files were first introduced. This is because the policy file itself is not being transmitted over a tamper-resistant protocol, so a man-in-the-middle attacker could replace a secure="true" declaration with secure="false", which would then allow a non-HTTPS SWF file to retrieve data from this domain, contrary to the policy expressed in this policy file. You (or whoever controls this server) should remove the secure attribute from this policy file.

Found secure='true' in policy file from (URL), but host (host) does not appear to refer to the local machine. This may be insecure.

Flash Player found a socket policy file, from the indicated URL, that contained one or more <allow-access-from> directives that specified the attribute secure="true" or secure="false", but the socket policy file does not appear to have come from the local machine. The secure attribute should be enforced as specified, but if this socket policy file did in fact come from somewhere other than the local machine, you may have an insecure configuration. The secure attribute, which instructs Flash Player whether to require strong authentication i.e., HTTPS URLs only of the domain named in an <allow-access-from> directive, is effective in socket policy files served from the local machine, because there is no network transmission in which a man-in-the-middle attacker could substitute a different policy file. However, if a socket policy file is served from a remote host, specifying secure="true" may provide a false sense of security, because the socket policy file is transmitted in a way that may be vulnerable to man-in-the-middle attacks. Flash Player does not yet provide a way to retrieve a socket policy file over a secure channel. See the section on socket policy files.

Policy file parsing errors



Ignoring invalid <allow-access-from> tag for domain '(domain)' in policy file at (URL).

Flash Player found a policy file from the indicated URL, containing the indicated string as a value for the domain attribute in an <allow-access-from> directive. This string was not recognized as a valid domain. This particular <allow-access-from> directive will be ignored, although other directives in the same policy file may be valid and accepted. You (or whoever controls this policy file) should try to fix the invalid domain.

Ignoring illegal port number specification '(port-string)' in policy file at (URL).

Flash Player found a policy file from the indicated URL, containing the indicated string as a value for the to-ports attribute in an <allow-access-from> directive. This string was not recognized as a valid port range. Port ranges may include the wildcard *, individual port numbers, port ranges separated by dashes, or comma-separated lists of individual numbers and/or ranges. This particular <allow-access-from> directive will be ignored, although other directives in the same policy file may be valid and accepted. You (or whoever controls this policy file) should try to fix the invalid port range.



  • Technology
Facebook, iPhone, Twitter and Wii. Technology evolves at the speed of light. NBCNews.com's tech reporters look at the gadgets, games and innovations changing our world.
4 hrs.

Facebook ignores 'minimal' user vote, adopts new privacy policy

Facebook
Facebook
Facebook Site Governance logo
As we reported Monday, Facebook users' seven-day voting period on the new privacy policy came to an end with far less than the 30 percent required to sway Facebook's opinion. Yes, 668,872 people voted, and of those, 589,141 said they were opposed to the new documents. But Facebook confirmed today in a blog post that it had "decided to adopt the proposed updates" to the Statement of Rights and Responsibilities (SRR) and Data Use Policy.
There was, however, a silver lining for the Facebook activists who spelled out their beefs in comments. Facebook says it amended the documents based on user feedback. "For example, we added new language to clarify our proposed updates on sharing information with our affiliates and our privacy controls," wrote Elliot Schrage, VP of communications, public policy and marketing for Facebook. (You can see more of the changes made by Facebook following user comments here.)
"While participation in the vote was minimal, this experience illustrated the clear value of our notice and comment process," Shrage wrote.
If you've been following along, this means that Facebook will definitely discontinue votes of this kind, though presumably it will keep asking for feedback in the form of likes and comments.
The whole process was a stark reminder of how huge Facebook is, not to mention how ineffective the 30 percent vote policy was from the start. As Shrage wrote:
We made substantial efforts to inform our users and encourage them to vote, both through emails and their news feeds. Despite these efforts and widespread media coverage, less than one percent of our user community of more than one billion participated. As stated in both policies, the results are advisory unless more than 30 percent of users vote.
Now that the policy is going into effect, it's high time you read it over. Right here is Facebook's full text of the Statement of Rights and Responsibilities, and here is its full data use policy.
If you don't have a magnifying glass and a lawyer handy, start with this brief explanation, from our very own Helen Popkin:
The new policy will allow Facebook to obtain data about you "from our affiliates or our advertising partners" (with whom you've already shared your personal info, such as websites, memberships, etc.), to "improve the quality of ads."
Plenty of sites already do this, matching your info (which you've provided, technically of your own free will) to show you ads your most likely to respond to, and to report to those ad partners how you did respond.
Among other concerns are those outlined by the Electronic Privacy Information Center not-for-profit group, which focuses on emerging privacy issues: less control over the kinds of messages users let Facebook send via @facebook.com email, potentially leading to increased spam; sharing of user data with "affiliates" such as the Facebook-owned Instagram; and the removal of the user voting policy, despite the fact that it was impossible for users to reach the high bar.
"Although Facebook’s existing voting mechanism set an unreasonably high participation threshold, scrapping the mechanism altogether raises questions about Facebook’s willingness to take seriously the participation of Facebook users," wrote EPIC, in an open letter to Facebook CEO Mark Zuckerberg.
As always, it's important to try and grasp as much of this stuff as possible, but it's also vital that you take care what you post on any social network. And if you don't like it, the best way to show that is to not use it.
This episode's final question, which we have put to Facebook, is if they'll do away with the ballot-inspired governance logo (seen above), now that user balloting will no longer be part of the site's governance.
Wilson Rothman is the Technology & Science editor at NBC News Digital. Catch up with him on Twitter at @wjrothman, and join our conversation on Facebook.

No comments:

Post a Comment