YouTube changes crossdomain.xml ?

I am just wondering, if YouTube has recently changed it’s crossdomain.xml? The YouTube ActionScript 2.0 API example I wrote, has stopped working? I was using their REST API to consume data and it seems it doesn’t work any more for me? What is the reason (developer-id is banned or my IP address or my domain is blacklisted)?

If they have changed it, it’s really bad. We can not create frontends in Flash, which means YouTube API and RSS feeds are useless for Flash/Flex developers. I can use server-side proxy but I don’t want to.

Please update me if it is working work your Flash/Flex applications.

Update: Yup! They have done it, I did a quick search and found that it used to be “*” instead of “*”, you can see in image shown below.
Update: YouTube’s crossdomain.xml changes might be because of security concerns, you can further read on these blogs:-

  • Curtis

    Hi Abdul,
    My application is broken now as well. My guess is that it is affecting everyone. Thanks for the post. If I did not see that you are also having problems I would have spent hours trying to figure it out. 🙂

  • Curtis

    You can always have a serverside script that takes in the Rest URL as a parameter, then returns the response as an XML doc. For my application I am using FDS.
    If you are using FDS you can create a proxy in the proxy-config.xml :*
    Then use setup your service as follows:

  • Zeh

    Ouch. That’s a pretty big change from just *. I wonder why they changed that all of a sudden.

  • Hello! I’m looking for a photoblog about India and I’ve just stopped on your web. Could you recomend me one? Thanks.

  • Hi,
    Doing it server-side is straight forward. But when Flash application is capable of doing it directly, why sites like are not allowing? I used to think Web 2.0 is about building on top of APIs/webservices/syndication (rss etc)…
    I can understand there are people who write applications to suck/save data from youtube, flickr etc. Second there is business reason (ad revenue, number of hits etc)
    Anyways, how youtube would stop such folks by doing this?

  • @fragments – I know some but don’t remember now, would let you know later. You can meanwhile search, Google etc.. I am sure you would get many.

  • Hi Abdul, thanks for the info on the change. I don’t know yet what might be happening here, but it’s a serious issue whenever existing work is affected. A couple of folks here on Townsend St are pursuing this, trying to get more info from contacts at YouTube.
    (My own personal hunch is that when something like this changes so radically that it’s a short-term change, in response to a particular situation, and may not be the long-term course. YouTube and Google have many issues to resolve right now, with copyright and poached content and bandwidth and more, so they might have a situation where they needed a quick interim response. Just a guess on my part, though, and I could be wrong.)
    Thanks for the blog post… I’m hoping we can get some more info from our end soon.

  • You can always setup a FLV proxy server and still get the FLV’s from the youtube servers. Downfall is then you are moving bandwidth youself.
    This is a big deal, especially for the embedded youtube players that are located on blogs sites. If this didn’t break that capability then there is some allow domain scripts going on.

  • is the content of YouTube’s crossdomain.xml
    It’s really restricting access from outside, I don’t know why Google is showing an *

  • There’s a really good reason. Having * in the crossdomain file basically is a huge CSRF hole..
    The best solution (what they should do) is to create a seperate api domain (
    Flickr made the same change recently

  • @Evert – Right, I understand the security and their business concerns. But it would be great if they come up with separate domain (or sub-domain) for API stuff….
    Flickr, Yahoo etc have done it recently…
    They would not do anything if they want us to consume their data (or data on their servers) 🙂
    @Renaun – I was going through a php script to get the “t” param and redirection…This (crossdomain) change restricts me loading YouTube RSS feeds or make REST queries from Flash applications. Which means I have to go through a proxy even for these unless YouTube comes with separate domain, as said by Evert…
    @Andre – Google is showing “*” because YouTube’s crossdomain used to have that. Since they have updated recently (1-2 days back), Google might take sometime to reindex it.
    Thanks for your comments. I hope, we would still be able to use YouTube’s videos to create our mashup apps…

  • @JD – I am sure YouTube might be facing following problems:-

    • People (like me) using data from YouTube, Google, Yahoo! etc, I consider these are storage on internet 🙂
    • Security concerns, but I am not sure how..I might actually load YouTube’s player in my SWF and actually get hold of their data or make some calls to their stats server-scripts. Not sure, how critical/sensitive that data would be
    • Bandwidth/Business issues, YouTube’s only business seems to be Ad revenue or featured videoclips? I have a desktop application to see YouTube videos so I hardly visit their site…So YouTube is paying for bandwidth for these cases and hardly making any money?

    However, I am sure YouTube/Google would do something…
    It’s good to know that YouTube is being contacted for the same…
    Please keep us updated…
    Thanks for your comment…

  • Eran

    There is one thing i do not understand: Sites linked from youtube, like still work.
    This site also uses a flash application to get the flv files from youtube.
    How is that?
    One more: The proxy thing mentioned above, would that mean my webserver will have to download the flv and before passing it on?

  • @Eran – crossdomain.xml changes don’t stop you using their FLV files. You can still get it flv with simple server-side script which extracts “t” value, constructs the flv-url and redirects to it.
    crossdoman.xml changes stops you loading/sending any XML/RSS/REST data to YouTube.
    Bottom-line is you can get the video_id and still can do everything on server side. Flash based application would not directly talk to YouTube except for loading flvs from their assets servers…
    If you are interested, you can make a list of YouTube’s asset servers and just use them directly instead of extracting “t” value..
    Above should work fine as long as you are sure of your users geography and that particular server is not too loaded 🙂

  • Hi Abdul, for what it’s worth, I haven’t been able to dig up any info on the YouTube change myself. Some have remarked that YouTube may have a session-based membership scheme similar to MySpace, but I don’t know if that’s the reason for the change at YouTube.
    Have you seen any info from the source site yet…?

  • @JD – crossdomain.xml is the only major change I notice. Apart from that everything seems same to me. But due to crossdomain.xml I am not able to consume their REST APIs or load their RSS feeds from a Adobe Flash application.

  • Just to confirm Abdul’s comment: FLV playback doesn’t rely on crossdomain.xml permissions at all.
    Here is the reference document specifying the security policy for the various Flash APIs:

  • > FLV playback doesn’t rely on crossdomain.xml
    > permissions at all.
    @Julien – Right, but without right permission YouTube’s API or RSS feeds is not usable in Flash apps.

  • James

    here’s a very simple php file that you can put on your server and call it from flash to make the youTube rest api call for you and it will pass back to flash the youTube xml –
    simply call this file by passing the tag and dev_id as a querystring like so:
    it’s annoying not to be able to just do this from flash but this is a simple work around.

  • Hi to everyone,
    I have a big problem, I’m looking for a thousand forums and I don’t find the solution.
    the problem is, I need create a php script to get the direct URL to a .FLV at YOUTUBE.COM, like: ‘’ (this one I got manually).
    I need these URLs to copy in my XML file, and my flvplayer.swf read the list and show it.
    I tried other options, like include the downloadlink, like :’’, and the flvplayer don’t play the video.
    sorry for my bad english.
    thaks for your help

  • @juanjo: Would like to see your XML structure. There are some characters in that URL that needs to be encoded in order to contain in XML or you need to put them inside CDATA.
    What happens when you try to access the URL in from browser manually?
    Sometimes, some video gets deleted so they are no more available on YouTube!, it seems something else is wrong…

  • kurt

    so AS Youtube API came to be garbage.
    @Abdul Qabiz: maybe that’s not the only reason they do that. maybe Youtube want people use Youtube API only inside server-side. so they can reject access from your server whenever they want. but without shutdown crossdomain.xml, they cannot make your application unworkable.

  • @kurt: I think, I need to update the API to use proxy. Adobe Flash Player allows you to communicate with cross-domains so youtube should allow flash-apps to use the API. The reason, they removed it because there is security problem, they can create different domain ( for APIs. The way Flickr, Yahoo etc have done.

  • Jai

    Hi Abdul,
    I am not able to download this file:
    can you please post me a copy of the file.
    Also, I have tried your AS2.0 code for playing youtube video. It works on Firefox, but fail on IE. This shouldn’t be a cross-domain.xml issue. Otherwise, it would have failed on Firefox also. Do you have an idea why it fails on IE only?

  • @Jai: You can not download the php-code, unless they are providing a way.
    Which AS2 code you tried? I heard that it works in IE also, check out the comments in corresponding post.

  • jaykey

    Hi Abdul,
    i tried the AS2 script from the top and it is like Jai sais. I can not get the video on iEx but on Firefox it is working fine.
    In the iEx i got the following output:
    vThe URL is:
    t param: undefined
    video_id: undefined
    thumbnail: undefined

    did someone find out how to fix that? Is it posible to get the “t”-param with an php-script? Thanks for your posts, this is a big topic…

  • prashant

    i created the get video url for the youtube as belov
    and gave it to my agrya player as
    .flv&playList={$baseurl}/playlist.php?viewkey={$smarty.request.viewkey}” allowfullscreen=”true” quality=”high” bgcolor=”#ffffff” width=”450″ height=”395″ name=”player” align=”middle” allowScriptAccess=”sameDomain” type=”application/x-shockwave-flash” pluginspage=”” />
    still its not playing the video can anybdy help me

  • Arun

    I am developing a similar kind of application wherein you can view youtube videos. I am fetching the path of the flv and feeding it to the contentpath of mediaplayer component in my flash file. It is working perfectly fine as a standalone player but when i try to host it on the web (localhost) it is not giving any output. Actually I am not able to get the xml itself.
    Can anyone help me out with this?

  • Hi
    I have created a website which has lot no. of FLV files and which are played on a customized flv player.
    Our problem is that these videos are to be purchased to view, but using realplayer 11 u can download them easily.
    Can anyone help how to restrict users to download.

  • vercer2005

    hey abdul firstly i wanna say that you are fantastic coder!!!
    and now youtube changes crossdomain.xml and it free all (*)
    and will you fix your as2 example and source thnx

  • German

    Hi Abdul
    Recently i´m wotking with a videos in youtube loading the stream in my web site. I work with a code that you posted and thats work very good but yesterday, the video d´ont work anymore.
    This is the code:
    var _mcl:MovieClipLoader = new MovieClipLoader();
    _mclListener = new Object();
    _mclListener.onLoadInit = function(target:MovieClip) {
    var _lv:LoadVars = new LoadVars();
    _root.videoplayer_mc.contentPath = “”+”video_id=”+_lv.video_id+”&t=”+_lv.t;
    videoplayer_mc is the instance for a MediaPlayback component.
    I´dont understand what happen.
    ¿Can you help me please?
    Thank you so much

  • Hi Guys
    It’s been a while since I responded to any comment but I promise, I would respond each comment or post something that solves youtube related issues.
    Thanks for reading and commenting.