Frequently asked questions¶
The following notes answer common questions, and may be useful to you when installing, configuring or using django-flashpolicies.
Why do I need a cross-domain policy file?¶
Much like JavaScript, the Adobe Flash player by default has a same-origin policy; a Flash player instance on one domain cannot load data from another domain.
A cross-domain policy file allows you, as the owner of a domain, to specify exceptions to this, allowing loading of data from another domain (for example, if you have data hosted on a CDN).
In order to prevent security issues caused by loading data from untrusted domains, your cross-domain policy file should permit only those domains you know are trustworthy (i.e., because those domains are under your control, and you can prevent malicious content from being placed on them).
Why doesn’t this application generate Silverlight’s format?¶
The Microsoft Silverlight plugin has a same-origin sandbox like Flash,
and its native format for cross-domain policies is a file called
clientaccesspolicy.xml
. However, if clientaccesspolicy.xml
is
not found on the target domain, or otherwise returns an error,
Silverlight will fall back to requesting and obeying a Flash
crossdomain.xml
file.
This means that a single file – crossdomain.xml
in the Flash
format – suffices for both Flash and Silverlight. Additionally,
Silverlight is no longer supported in current versions of Microsoft’s
own Edge browser, support for it is in the process of being
dropped/disabled in other major browsers, and Microsoft has announced
that Silverlight will reach end-of-life in 2021, meaning that the
Silverlight-only format corresponds to an already-small and shrinking,
and soon to be nonexistent, supported base.
What versions of Django are supported?¶
As of django-flashpolicies 1.8, Django 1.8 and 1.9 are supported.
Older versions of Django may work, but are not supported. In
particular, the behavior of the APPEND_SLASH
setting in some old
Django versions may be problematic: on very old versions of Django,
APPEND_SLASH
always adds a trailing slash even if the URL would
match without it. This makes it impossible to serve a master policy
file, which must have exactly the URL /crossdomain.xml
, with no
trailing slash.
What versions of Python are supported?¶
As of django-flashpolicies 1.8, Django 1.8, 1.9, and 1.10 are supported, on Python 2.7, 3.3, 3.4 or 3.5. Although Django 1.8 supported Python 3.2 at initial release, Python 3.2 is now at its end-of-life and django-flashpolicies no longer supports it.
Why are the elements in a different order each time I serialize my policy?¶
Internally, a Policy
stores
information about permitted domains and headers in dictionaries, keyed
by domain names. The resulting XML is generated by iterating over
these dictionaries.
In older versions of Python, iteration over a dictionary would produce the same order of keys each time provided the set of keys was identical. Newer versions of Python include a feature, for security purposes, known as hash randomization; this means that two dictionaries with the same set of keys can and will at times iterate over those keys in different orders.
Hash randomization is enabled by default on Python 3.3, and can be
enabled on older releases. If you are seeing inconsistent ordering for
allow-access-from
and allow-http-request-headers-from
elements, it is due to hash randomization being enabled.
Since this does not affect the well-formedness or validity of the resulting XML document, it is not a bug, and you should not attempt to disable hash randomization in Python.
Why shouldn’t I use wild-card (i.e., ‘*’) domains in my policy?¶
Use of wild-card entries in a policy effectively negates much of the security gain that comes from explicitly specifying the permitted domains. Unless you can and do vigilantly control all possible domains/subdomains matching a wild-card entry, use of one will expose you to the possibility of loading malicious content.
How am I allowed to use this module?¶
django-flashpolicies is distributed under a three-clause BSD license. This is an
open-source license which grants you broad freedom to use,
redistribute, modify and distribute modified versions of
django-flashpolicies. For details, see the file LICENSE
in the
source distribution of django-flashpolicies.
I found a bug or want to make an improvement!¶
The canonical development repository for django-flashpolicies is online at <https://github.com/ubernostrum/django-flashpolicies>. Issues and pull requests can both be filed there.