Enabling cross domain access to Windows Azure Blobs from Flash clients


Here’s an interesting tidbit that came across my desk recently.  If you’re building applications with Adobe Flash and want to enable the use of Windows Azure for blob storage, you’ll need to be able to create a “cross-domain policy file” in order to get the Flash client to request blobs.

Why?  Because the Flash client requires it.  Specifically:

“For security reasons, a Macromedia Flash movie playing in a web browser is not allowed to access data that resides outside the exact web domain from which the SWF originated.” – Source: Cross-domain policy for Flash movies

So how does that relate to the use of Windows Azure Blob Storage from Flash applications?

Well, imagine this.  You create a Flash application and host it on your site.  It might even be a site hosted on Windows Azure, or maybe not.  Either way, the application itself has an “exact web domain from which the SWF originated”, as follows:

Hosting Platform Typical URL Originating Domain (as seen by Flash)
Non Windows Azure Host http://www.mycompany.com mycompany.com
Windows Azure Cloud Services, no custom CNAME http://mycompany.cloudapp.net mycompany.cloudapp.net
Windows Azure Cloud Services, with custom CNAME http://www.mycompany.com mycompany.com
Windows Azure Websites http://mycompany.azurewebsites.net mycompany.azurewebsites.net
Windows Azure Websites, Shared or Reserved Mode, with custom domain name http://www.mycompany.com mycompany.com

Now, here comes the problem.  When you access the Windows Azure Blob Storage, the domain that will be serving up your blobs is going to be a subdomain of http://blob.core.windows.net (something like http://yourcompany.blob.core.windows.net), and that doesn’t match up with _any_ of these domains here.  By default, Flash won’t let you access this domain, unless you are able to serve up a crossdomain.xml file from that domain.  This policy file is a little XML file that gives the Flash Player permission to access data from a given domain without displaying a security dialog.  When it resides on a server, it lets the Flash Player have direct access to data on the server, without the prompts for user access.  But since Windows Azure Blob Storage is an Azure service, that’s not possible, right?

As it turns out… it is possible.  You can actually host the crossdomain.xml file in the root container of your blob storage, and then simply ensure that the root container has public read access.  It looks like the following:

CloudBlobContainer cloudBlobContainer = cloudBlobClient.GetContainerReference("$root");
cloudBlobContainer.SetPermissions(new BlobContainerPermissions { PublicAccess = BlobContainerPublicAccessType.Blob }); 

Thanks to my pal Marcus for the information on this!