Views for serving cross-domain policies¶
Included in django-flashpolicies are several views for generating and
serving Flash cross-domain policies. Most sites will need no more than
the allow_domains()
policy-serving view.
Some of the other views here support more advanced use cases, but note
that not all valid policy file options have direct support in these
views. The Policy
class does support
all valid options, however, so instantiating a
Policy
, setting the desired options,
and passing it to the serve()
view will
allow use of any options policy files can support.
-
flashpolicies.views.
serve
(request, policy)¶ Given a
Policy
instance, serializes it to UTF-8 and serve it.Internally, this is used by all other included views as the mechanism which actually serves the policy file.
Parameters: - request – The incoming Django
HttpRequest
. - policy – The
Policy
to serve.
Return type: - request – The incoming Django
-
flashpolicies.views.
allow_domains
(request, domains)¶ Serves a cross-domain access policy allowing a list of domains.
Note that if this is returned from the URL /crossdomain.xml on a domain, it will act as a master policy and will not permit other policies to exist on that domain. If you need to set meta-policy information and allow other policies, use the
metapolicy()
view for the master policy instead.Parameters: - request – The incoming Django
HttpRequest
. - domains – An
Iterable
of domains from which to allow access. Each value may be either a domain name (e.g., “example.com”) or a wildcard (e.g., “*.example.com”). Due to serious potential security issues, it is strongly recommended that you not use wildcard domain values.
Return type: - request – The incoming Django
-
flashpolicies.views.
metapolicy
(request, permitted, domains=None)¶ Serves a cross-domain policy which can allow other policies to exist on the same domain.
Note that this view, if used, must be the master policy for the domain, and so must be served from the URL /crossdomain.xml on the domain: setting meta-policy information in other policy files is forbidden by the cross-domain policy specification.
Parameters: - request – The incoming Django
HttpRequest
. - permitted – A
str
indicating the extent to which other policies are permitted. A set of constants is available, defining acceptable values for this argument. - domains – An
Iterable
of domains from which to allow access. Each value may be either a domain name (e.g., “example.com”) or a wildcard (e.g., “*.example.com”). Due to serious potential security issues, it is strongly recommended that you not use wildcard domain values.
Return type: - request – The incoming Django
-
flashpolicies.views.
no_access
(request)¶ Serves a cross-domain policy which permits no access of any kind, via a meta-policy declaration disallowing all policy files.
Note that this view, if used, must be the master policy for the domain, and so must be served from the URL /crossdomain.xml on the domain. Setting meta-policy information in other policy files is forbidden by the cross-domain policy specification.
Internally, this view calls the
metapolicy()
view, passingSITE_CONTROL_NONE
as the meta-policy.Parameters: request – The incoming Django HttpRequest
.Return type: HttpResponse