Views for serving cross-domain policies

Included in django-flashpolicies are several views for generating and serving Flash cross-domain policies. Most sites will need no more than the allow_domains() policy-serving view.

Some of the other views here support more advanced use cases, but note that not all valid policy file options have direct support in these views. The Policy class does support all valid options, however, so instantiating a Policy, setting the desired options, and passing it to the serve() view will allow use of any options policy files can support.

flashpolicies.views.serve(request, policy)

Given a Policy instance, serializes it to UTF-8 and serves it.

Internally, this is used by all other included views as the mechanism which actually serves the policy file.

Parameters:
Return type:

django.http.HttpResponse

flashpolicies.views.allow_domains(request, domains)

Serves a cross-domain access policy allowing a list of domains.

Note that if this is returned from the URL /crossdomain.xml on a domain, it will act as a master policy and will not permit other policies to exist on that domain. If you need to set meta-policy information and allow other policies, use the metapolicy() view for the master policy instead.

Parameters:
  • request (django.http.HttpRequest) – The incoming HTTP request.
  • domains (typing.Iterable) – The domains from which to allow access. Each value may be either a domain name (e.g., “example.com”) or a wildcard (e.g., “*.example.com”). Due to serious potential security issues, it is strongly recommended that you not use wildcard domain values.
Return type:

django.http.HttpResponse

flashpolicies.views.metapolicy(request, permitted, domains=None)

Serves a cross-domain policy which can allow other policies to exist on the same domain.

Note that this view, if used, must be the master policy for the domain, and so must be served from the URL /crossdomain.xml on the domain: setting meta-policy information in other policy files is forbidden by the cross-domain policy specification.

Parameters:
Return type:

django.http.HttpResponse

flashpolicies.views.no_access(request)

Serves a cross-domain policy which permits no access of any kind, via a meta-policy declaration disallowing all policy files.

Note that this view, if used, must be the master policy for the domain, and so must be served from the URL /crossdomain.xml on the domain. Setting meta-policy information in other policy files is forbidden by the cross-domain policy specification.

Internally, this view calls the metapolicy() view, passing SITE_CONTROL_NONE as the meta-policy.

Parameters:request (django.http.HttpRequest) – The incoming HTTP request.
Return type:django.http.HttpResponse