Home/ Questions/Q 8340255
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-09T05:07:48+00:00

We are uploading files from an HTTP uri scheme to our S3. This means,

  • 0

We are uploading files from an HTTP uri scheme to our S3. This means, our uploader script is in our server. We sign the forms accordingly with S3. Our crossdomain.xml file looks like:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
  <allow-access-from domain="*" />
</cross-domain-policy>

Should I have secure="false" in allow-access-from? For example:

<allow-access-from domain="*" secure="false" />

What are the implications of having secure="false"? I’ve read this and this, but don’t quite understand it properly.

Second, should domain=* be an actual domain? i.e. our domain name? So http://foobar.com and http://www.foobar.com?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    if you have secure="true" only requests from HTTPS will be allowed, secure="false" mean requests from both HTTP and HTTPS are allowed.

    EDIT: it only applies if you are running HTTPS website. E.g. if http://website1.com requests for a resource from website https://website2.com, which has a secure="true" in the crossdomain.XML, then the resource will be denied. However if website 2 is running on HTTP and not HTTPS, then it doesn’t matter and both HTTP and HTTPS will be permitted, no matter what the secure setting in crossdomain.xml says.

    http://www.senocular.com/pub/adobe/crossdomain/policyfiles.html#allow-access-from-secure

    • 0