How to Make crossdomain.xml Work with SharePoint
Posted in Development
Not long ago I worked on a web site which had all its content and media stored in SharePoint. At an early point in the project, Flash developers started to complain that none of their media played when served from SharePoint. The problem seemed obvious: the cross-domain policy file, crossdomain.xml, was missing. Here’s what it’s for (via Adobe):
A cross-domain policy file is an XML document that grants a web client—such as Adobe Flash Player (though not necessarily limited to it)—permission to handle data across multiple domains. When a client hosts content from a particular source domain and that content makes requests directed towards a domain other than its own, the remote domain would need to host a cross-domain policy file that grants access to the source domain, allowing the client to continue with the transaction. Policy files grant read access to data as well as permit a client to include custom headers in cross-domain requests.
The most common location for a policy file on a server is in the root directory of a domain with the filename crossdomain.xml (e.g. http://example.com/crossdomain.xml)—the default location that clients check when a policy file is required.
There are two things to note here.
- “though not necessarily limited to [Adobe Flash]”. Silverlight, being a Flash knock-off, works the same way. See HTTP Communication and Security with Silverlight. In other words, this discussion applies to Silverlight just as much.
- A cross-domain policy file must be placed in the root of your web site.
The challenge became how to put crossdomain.xml in web root. SharePoint isn’t your typical web site; you don’t just hit pages—there’s a level of indirection for all resources.
Just about every blog post on the web recommended using the now free SharePoint Designer to upload the policy file. Others were suggesting to “drop” it in the physical root (normally C:\inetpub\wwwroot\wss\VirtualDirectories\80).
We followed just about every bit of advice. Nothing worked. Hitting crossdomain.xml would always yield a 404.
Several days into this nightmare, my stalwart co-worker Eric stumbled upon a solution:
- Copy crossdomain.xml to SharePoint’s physical root.
- Open web.config from the same folder and disable custom error pages:
<customErrors mode="Off" />
Amazingly, that worked! Like all things SharePoint, it made no sense at all, but it worked.
I hope I can save someone several days of frustrating troubleshooting.
9 comments
Milan Negovan
on November 12, 2009
Can you clarify your question, please?
net
on November 15, 2009
sorry the tag was missing in the previous post:
customErrors mode="Off"
what i meant was if there would be security issue here?
Thanks
Milan Negovan
on November 15, 2009
I'm not sure if SharePoint would display anything sensitive if it bombs. As to the workaround, I haven't see any other ideas that actually worked.
Joe
on December 1, 2009
What directory exactly is 'Sharepoint's physical root'? Program Files\Common Files\microsoft shared\Web Server Extensions\12 ? I've been pulling my hair out over this exact issue for a couple of days now...
Milan Negovan
on December 1, 2009
Try C:\inetpub\wwwroot\wss\VirtualDirectories\80
Christopher Roberts
on December 31, 2009
Sometimes I feel that way about coding: "why is this not working!" and "this shouldn't be working!"
Great article thanks :)
md
on April 21, 2010
Maybe it just worked, because modifying the web.config restarted the web?!
net
on November 11, 2009
is putting safe since it opens the errors to the users?