flash9/10的安全策略之content-type

Flash Player 9安全策略更新

最新推荐文章于 2025-06-19 14:30:30 发布

转载最新推荐文章于 2025-06-19 14:30:30 发布 · 100 阅读

自Flash Player 9.0.115.0版本起，新增安全策略要求跨域策略文件crossdomain.xml的HTTP头必须包含Content-Type，并且其类型需为text/*、application/xml或application/xhtml+xml之一，以确保文件内容为文本格式。

flash9/10添加了新的安全策略.

请求的crossdomain.xml返回的http header必须包换content-type，而且必须是text/(任何文本格式)

如果不是这样的话，crossdomain.xml就算存在，也会被无视.

搞了一天才找出来，倒塌...

详情：http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_02.html#_Content-Type_Whitelist

引用：

Content-type whitelist

Starting in version 9,0,115,0, Flash Player will ignore any HTTP policy file that is not sent with a Content-Type value that gives some assurance that the file is intended to be a text file. Flash Player requires that a policy file's Content-Type must be one of the following:

text/* (any text type)
application/xml or application/xhtml+xml

Content-Type values are determined from the response headers provided by HTTP servers. Servers may choose a Content-Type based on a file's name, extension, location, contents, or the instructions of a server script generating the file. If you need to change the Content-Type associated with a policy file, you may need to reconfigure a registry mapping filename extensions to Content-Type values, or edit a general server configuration file. Consult the documentation for your HTTP server.