crossdomain.xml and clientaccesspolicy.xml

Community Platform API
Post Limit:
Will there be appropriate crossdomain.xml or clientaccesspolicy.xml files set up that will allow Flash and Silverlight applications to easily access the new API?

For those who don't know Flash/Silverlight apps can only access content on different domains then where the app is hosted if the sites has one of these two files with the correct settings in it. It is done for privacy and security reasons.
I would like to know this as well. I've created an Auction House flash app for our guild's website. Everything works amazingly when running locally on my machine using the debug flash environment, but once I upload it to the web server, I receive a security error #2048.

What is the situation with the crossdomain policy?
Anyone know anything of this? Has anyone else had any issues with ActionScript 3 and security?
It's a flash security error. Flash is trying to connect from his domain to the blizzard API (different domain). Blizzard doesn't have crossdomain files setup (to allow it) so flash throws that error.
Also would like to see this implemented - I am unable to connect to any of the RESTful services via Silverlight - and receive security errors.
bump? any planned access from Flash or Silverlight? Your server doesn't have a cross domain policy and frameworks like Flash and Silverlight honor the policy file on the cross domain server it is trying to acess
I would love to see this implemented too.

However there is a work around this issue that I did for my Silverlight library ( ).
The workaround works as follows:

- I put a handler on the web server hosting the Silverlight application which performs the calls to site and returns the results.
- My Silverlight library would call the handler rather than calling directly. Since the handler is hosted on the origin site, there will be no security exception thrown from Silverlight (same would apply in case you use Flash).

This workaround has drawbacks though
- This puts unnecessary strain on the webserver
- It limits the maximum requests you can make. Since all requests to are made from a single IP address (the webserver's IP address) rather than from the Silverlight (or flash) clients browsers IP addresses.
- Others may exploit your handler to make requests for their own applications, unless you take some measures to prevent it. They can flood servers throw your web server, and Blizzard will ban you.
- It prevents you from hosting your application on a webserver that serves only static files.
- If your web application is running with low privelges, the web server administrator may put a security policy preventing your web application from making HTTP calls to This can be the case in a shared hosting environment where you don't have control on the webserver.

So it would really help if Blizzard supports crossdomain.xml and clientaccesspolicy.xml since the workarounds (even though they work) are really ugly.

Bump. Can we get a quick blue post? I need to know whether I need to scrap the flash and move to something else or if it will be supported soon.
We are currently looking into this - no ETA as of right now but we'll post an update once we know more.
have you try use php get teh data then have it expolde in the php file then load that with FL?
i dont know if that would work i never really got in to FL
Ah its been a year was someone going to post an update?
Note: If you're sending requests to the armory directly from the client, your users will be able to get at your API keys/secrets.

Join the Conversation