Table of Contents
Just a second...

Flash security model

Flash® interacts with remote services to establish security according to the restrictions defined in the Flash policy file.

If a socket-based connection is to be used, for example Diffusion™ DPT type connection, the Flash player tries to get a policy file from the same host as you are trying to connect to but on port 843. If this port is not open through your firewalls or is not configured within the Diffusion connectors, the Flash player waits 2 seconds before requesting a policy file from the same port that you are trying to connect to. If the policy file request is not responded to correctly or the policy file has restricted the connection, the Flash player generates a security exception and the connection attempt stops.

If an HTTP connection is to be used, for example Diffusion HTTP type connection, a socket-based policy file is not required but a crossdomain.xml file might be required before the Diffusion connection is made.

Official Adobe documentation is available at the following location: Cross-domain policy file specification.

Note: Ensure that none of the other services on the same system as your Diffusion server use port 843. If they do, the Flash policy connector is unable to bind to the port and cannot serve the required policy file.

FlashPolicy.xml file

When is the FlashPolicy.xml used?

When a Diffusion DPT connection is used a socket connection is made, in order that the socket connection can be established a socket policy file must be acquired from port 843 or from the port that the Diffusion client is trying to connect to.

Again this is part of the cross-domain schema, but this time the to-ports attribute on the allow-access-from element is particularly important.

FlashMasterPolicy.xml file

Use of the FlashMasterPolicy file

FlashMasterPolicy is used for requests on port 843. It is a normal crossdomain.xml with an extra element of
<site-control permitted-cross-domain-policies="master-only" />
The site-control element here specifies that only this master policy file is considered valid on this domain