The Adobe Flash Player contains a crossdomain security mechanism which impacts publishers using Flash players (such as JW Player) on Flash capable browsers and devices by denying the loading of the following files from another domain:
Crossdomain security restrictions can be lifted by hosting a crossdomain.xml file on the server that contains the files.
Unfortunately, the Flash Player has a security restriction which prevents the request for said crossdomain.xml file from following a 302 redirect. From the Adobe website:
Note: When serving a policy file, you must not use a cross-domain redirect, or the player will ignore the policy file.
Thus any requests for /crossdomain.xml
using the FortiDirector HTTP Service would result in a security error with the flash player.
In order to work with this security restriction, FortiDirector has in place the ability to not redirect (302), but rather serve (200), a crossdomain.xml file.
By default, all requests for a root crossdomain file:
http://[ruleset hostname]/crossdomain.xml
which are made to the FortiDirector HTTP service will be responded to with the following wildcarded crossdomain.xml file:
<cross-domain-policy><allow-access-from domain="*" secure="false"/><allow-http-request-headers-from domain="*" headers="*" secure="false"/></cross-domain-policy>
This allows the flash player to request through the FortiDirector HTTP service without security restrictions, enabling loading of the specified resource by the flash player to succeed.
FortiDirector futher extends this feature by allowing users to upload a custom crossdomain.xml file, which can either:
crossdomain.xml files, among other (less than 1KB) files can be uploaded and managed by editing any already existing Rule Set.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.