1

My Flex application is being hosted at http://<ip>:8080/MyApp/Login.html, when I go there there is a request for http://<ip>:8080/crossdomain.xml is created, as well as a request for https://<ip>:8080/crossdomain.xml. This happens when I attempt to use a Remote Java Object call to the same server, and grab assets from it. I am not hosting https on port 8080, therefore this https call will fail.

The problem is that the https call will sometimes take a long time to fail (it fails by the connectionTimeout length in the tomcat connector). Other times it fails quickly. However, in the times that it does take a long time to fail, the page doesn't complete loading because I'm waiting on those assets and the remote object calls for data.

I've tried setting up a forceful retrieval of a crossdomain.xml with the following inside it:

<?xml version="1.0"?>
<cross-domain-policy>
    <allow-access-from domain="*" to-ports="*"/>
</cross-domain-policy>

With the AS3 code:

Security.loadPolicyFile(browserUrl+"/assets/crossdomain.xml");

Which is being called in the application's initialize event. The above, forceful, crossdomain.xml file is being called and retrieved correctly according to chrome and wireshark, but the default locations at the root of the server are still being attempted, and the https attempt is still timing out. And the app is not completing its loading until that attempt times out.

Dave Lugg
  • 2,326
  • 2
  • 15
  • 23
  • If the Flex app is served from the same domain that you're making calls to; you shouldn't need to load a crossdomain at all. Are you sure you're not trying to make an HTTPS call from within the app? – JeffryHouser Jul 31 '13 at 00:30
  • As far as I know, crossdomain shall be placed in root, not inside subfolders(unless you want to specify some permissions for subfolders, I guess). – user1875642 Jul 31 '13 at 08:31
  • @Reboog711 I thought that too, but I'm definitely seeing the call for it from Chrome's developer tools. And it's definitely taking the 10 seconds or so to timeout. I've checked all through the code and don't believe I'm making that call forcefully. – Dave Lugg Jul 31 '13 at 12:59
  • @user1875642 If you use `Security.loadPolicyFile` then you can load it from anywhere. – Dave Lugg Jul 31 '13 at 13:00

1 Answers1

0

So I think I determined what this issue was. I had a secure channel being used first in the list of channels, and since it was different domain (http instead of the https that the channel was on) it would do the crossdomain.xml lookup.

I reordered the channels to have the regular http channel first, and my application no longer does any crossdomain lookups except the forceful one (which I've since removed).

Since the first channel was over https, Flex was waiting on that lookup before falling back to the insecure channel.

I also think this should continue to work if actually using https, since I believe that a plaintext request to a secure connector will be rejected instantly instead of timing out.

Dave Lugg
  • 2,326
  • 2
  • 15
  • 23