Frequently asked questions

The following notes answer common questions, and may be useful to you when installing, configuring or using django-flashpolicies.

Why do I need a cross-domain policy file?

Much like JavaScript, the Adobe Flash player by default has a same-origin policy; a Flash player instance on one domain cannot load data from another domain.

A cross-domain policy file allows you, as the owner of a domain, to specify exceptions to this, allowing loading of data from another domain (for example, if you have data hosted on a CDN).

In order to prevent security issues caused by loading data from untrusted domains, your cross-domain policy file should permit only those domains you know are trustworthy (i.e., because those domains are under your control, and you can prevent malicious content from being placed on them).

What versions of Django are supported?

As of django-flashpolicies 1.5, Django 1.4 and 1.5 are supported. It is expected that django-flashpolicies 1.5 will also work unmodified with Django 1.6, once Django 1.6 is released.

Older versions of Django may work, but are not supported. In particular, the behavior of the APPEND_SLASH setting in old Django versions may be problematic: on some older versions of Django, APPEND_SLASH always adds a trailing slash even if the URL would match without it. This makes it impossible to serve a master policy file, which must have exactly the URL /crossdomain.xml, with no trailing slash.

What versions of Python are supported?

On Django 1.4 and 1.5, django-flashpolicies 1.5 supports Python 2.6 and 2.7. On Django 1.5, Python 3.3 is also supported.

Why are the elements in a different order each time I serialize my policy?

Internally, a Policy stores information about permitted domains and headers in dictionaries, keyed by domain names. The resulting XML is generated by iterating over these dictionaries.

In older versions of Python, iteration over a dictionary would produce the same order of keys each time provided the set of keys was identical. Newer versions of Python include a feature, for security purposes, known as hash randomization; this means that two dictionaries with the same set of keys can and will at times iterate over those keys in different orders.

Hash randomization is enabled by default on Python 3.3, and can be enabled on older releases. If you are seeing inconsistent ordering for allow-access-from and allow-http-request-headers-from elements, it is due to hash randomization being enabled.

Since this does not affect the well-formedness or validity of the resulting XML document, it is not a bug, and you should not attempt to disable hash randomization in Python.

Why shouldn’t I use wild-card (i.e., ‘*’) domains in my policy?

Use of wild-card entries in a policy effectively negates much of the security gain that comes from explicitly specifying the permitted domains. Unless you can and do vigilantly control all possible domains/subdomains matching a wild-card entry, use of one will expose you to the possibility of loading malicious content.