Views for serving cross-domain policies¶
Included in django-flashpolicies are several views for generating and
serving Flash cross-domain policies. Most sites will need no more than
the allow_domains()
policy-serving view.
Some of the other views here support more advanced use cases, but note
that not all valid policy file options have direct support in these
views. The Policy
class does support
all valid options, however, so instantiating a
Policy
, setting the desired options,
and passing it to the serve()
view will
allow use of any options policy files can support.
-
flashpolicies.views.
serve
(request, policy)¶ Given a
Policy
instance, serializes it to UTF-8 and serves it.Internally, this is used by all other included views as the mechanism which actually serves the policy file.
Parameters: - request (django.http.HttpRequest) – The incoming HTTP request.
- policy (flashpolicies.policies.Policy) – The policy to serve.
Return type:
-
flashpolicies.views.
allow_domains
(request, domains)¶ Serves a cross-domain access policy allowing a list of domains.
Note that if this is returned from the URL /crossdomain.xml on a domain, it will act as a master policy and will not permit other policies to exist on that domain. If you need to set meta-policy information and allow other policies, use the
metapolicy()
view for the master policy instead.Parameters: - request (django.http.HttpRequest) – The incoming HTTP request.
- domains (typing.Iterable) – The domains from which to allow access. Each value may be either a domain name (e.g., “example.com”) or a wildcard (e.g., “*.example.com”). Due to serious potential security issues, it is strongly recommended that you not use wildcard domain values.
Return type:
-
flashpolicies.views.
metapolicy
(request, permitted, domains=None)¶ Serves a cross-domain policy which can allow other policies to exist on the same domain.
Note that this view, if used, must be the master policy for the domain, and so must be served from the URL /crossdomain.xml on the domain: setting meta-policy information in other policy files is forbidden by the cross-domain policy specification.
Parameters: - request (django.http.HttpRequest) – The incoming HTTP request.
- permitted (str) – The metapolicy value to use. A set of constants is available, defining acceptable values for this argument.
- domains (typing.Iterable) – The domains from which to allow access. Each value may be either a domain name (e.g., “example.com”) or a wildcard (e.g., “*.example.com”). Due to serious potential security issues, it is strongly recommended that you not use wildcard domain values.
Return type:
-
flashpolicies.views.
no_access
(request)¶ Serves a cross-domain policy which permits no access of any kind, via a meta-policy declaration disallowing all policy files.
Note that this view, if used, must be the master policy for the domain, and so must be served from the URL /crossdomain.xml on the domain. Setting meta-policy information in other policy files is forbidden by the cross-domain policy specification.
Internally, this view calls the
metapolicy()
view, passingSITE_CONTROL_NONE
as the meta-policy.Parameters: request (django.http.HttpRequest) – The incoming HTTP request. Return type: django.http.HttpResponse