3

I'm trying to hit the Twitter API in my Flash application. It works in the local Flash IDE, but doesn't work when I upload it to my server. I'm getting this error:

Error #2044: Unhandled securityError:. text=Error #2048: Security sandbox violation: http//alpha.{oursite}.com/flash/twitterticker.swf cannot load data from http//twitter.com/statuses/user_timeline/{ouraccount}.xml.

[ignore the lack of a ":" in the http:// in the error msg - I don't have enough of a reputation yet to post more than one hyperlink :-)]

When I look in Charles, it appears that the error is related to not finding an entry for my website in Twitter's crossdomain.xml file. As far as I know, this is not a requirement to use their API. Is there something I'm missing?

TIA!

Steve W

vimuth
  • 5,064
  • 33
  • 79
  • 116
Steve W
  • 71
  • 4

1 Answers1

3

Looking at the crossdomain file at http://twitter.com/crossdomain.xml you won't be able to directly call the twitter API from flash.

You are going to either need a serverside proxy, or use ExternalInterface bi-directional communication since javascript can bypass the sandbox using JSONP

The twitter API site has several links to ready written twitter implementations for Flash. Maybe you can use one of their serverside proxies.

Les
  • 2,316
  • 16
  • 17
  • Yeah, a few days ago Twitter removed the crossdomain allowances they had for a few years. Flash apps everywhere cried. – typeoneerror Nov 06 '09 at 22:43
  • So how does tweetdeck (the AIR twitter client) work? I think you have to use their api instead of accessing the feed directly. I'm not familiar with twitter api though. – Amarghosh Nov 07 '09 at 07:07
  • A few days ago Twitter removed the crossdomain allowances? I guess that's why this was working for me a couple of weeks ago, then stopped. What a bummer! How can they revoke privileges in a way that breaks other people's apps? – Steve W Nov 11 '09 at 20:33
  • quoting Alex Payne on the twitter development group: "Yes, we changed crossdomain.xml in response to a security threat last night. Unfortunately, do to an insecure interaction between Flash and browsers, allowing cross-domain requests from any domain opens us to assumed login attacks, which a Japanese security researcher had noted publicly in the last 48 hours" I guess they had to protect their users from some sort of XSS attack.. ? – Les Nov 11 '09 at 21:25