flash: crossdomain.xml is ignored

Question

I have some, say, weird situation... Here is what it is:

Flash application which records audio on one server and uploads it on another server. So, as you likely guessed, I faced that security sandbox violation exceptions/errors and it seems I have to add crossdomain.xml to the root of the server. Ok, did it, but it seems it didn't get downloaded or download process is interupted, so I keep getting this errors.

Could somebody point me to my mistakes, please? I really don't getting what I am doing wrong.

Here is the error I get while trying to upload audio:

Error #2044: Unhandled securityError:. text=Error #2170: Security sandbox 
violation: https://ip1/bar/foo cannot send HTTP headers to https://ip2/foo/bar

Here is the content of my crossdomain.xml (test version):

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
    <site-control permitted-cross-domain-policies="all"/>
    <allow-access-from domain="*" to-ports="*" />
    <allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>

p.s. And, yes, crossdomain.xml is accessable via https://ip2/crossdomain.xml address.

ADDITIONAL INFO

I enabled flash logs and was surprised to know that flash is unable to get crossdomain.xml, though it is accessable via browser (with a clause that it is https and it states that there is a certificate issue, or smth like that).

Warning: Failed to load policy file from https://192.168.22.103/crossdomain.xml

ADDITIONAL INFO PART 2

Here is the warning I have in browser in case I try to access crossdomain.xml manually: enter image description here

Here is the request to download crossdomain.xml ends up with http status code = 0:
enter image description here

Have you tried manually loading the crossdomain.xml file? I think the method is loadPolicyFile() http://stackoverflow.com/questions/527911/flex-load-policy-file-crossdomain-xml . — JeffryHouser, Aug 30 '13 at 15:43
@Reboog711, actually, no. Will try to play with this and post the results. — mr.nothing, Aug 30 '13 at 15:49
@Reboog711, just relized, that it doesn't fit my needs. I don't know beforehand the IP of the server, where upload will be made. So I can't specify url to fetch crossdomain.xml explicitly. — mr.nothing, Aug 30 '13 at 15:56
nothing I don't understand why not knowing the IP before hand would prevent you from trying to manually load the crossdomain.xml file. At some point your app must know the IP in order to upload the file. Load the policy file before you attempt the upload. — JeffryHouser, Aug 30 '13 at 16:08
@Reboog711, well, it started working somehow, I didn't change anything. I really don't know how :D Could it be that crossdomain.xml is cached somewhere in flash? Cause it seems to be the case... — mr.nothing, Aug 30 '13 at 16:48
Since you have a "Changing IP Address" for the upload server; you may check all servers in question to make sure the crossdomain.xml is in place. You could also have troubles with the connection between client and server. Since it is sporadic; I'm unclear what if the issue is Flash or crossdomain.xml related. — JeffryHouser, Aug 30 '13 at 17:33
You should also look at the developer console in your browser the next time this happens. See what the browser is saying when it attempts to download the crossdomain.xml file (or if it even attempts it at all). — Sunil D., Aug 30 '13 at 18:02
@SunilD., Reboog711 Actually, I enabled flash player logs and I found that it unable to fetch crossdomain.xml... Though crossdaomin.xml is accessible if I trying to get via browser, but it is https, so maybe that certificate staff can prevent flash from downloading crossdomain.xml.. Please, see edit for new info. — mr.nothing, Aug 30 '13 at 18:19
Perhaps you are using a self signed SSL cert or the hostname on the cert doesn't match the hostname of the server. Browsers typically issue warnings for these conditions. In fact, since you're accessing it by IP address the latter may be true. I can't seem to find a definitive answer if self signed certs/hostname mismatches are a problem, but it may vary by browser. Try another browser and also consider adding whatever warnings your browser gives you (when you access the crossdomain.xml directly). — Sunil D., Aug 30 '13 at 19:44
`the hostname on the cert doesn't match the hostname of the server` - I looked at this and this is exactly the situation I have. Unfortunately, I forced to develop this application for IE, and it turned out that it doesn't work in other browsers. Please, if intereted, take a look at the warning I have in edited post. Also I added screenshot of how crossdomain.xml is refused for downloaded. — mr.nothing, Aug 31 '13 at 14:24
@Reboog711, Tried manual loading of the crossdomain.xml. Unfortunately, result is the same. — mr.nothing, Sep 01 '13 at 17:54
To get around a self signed cert warning; you have to manually [and permanently] accept the cert. Every browser accessing the site w/ the self signed cert is going to have to do this step. The reason it probably started working for you is that you accepted it for the session; then started a new browser session. You're better off getting a formal cert for the upload server; unless you have a very controlled environment. — JeffryHouser, Sep 02 '13 at 03:27

score 1 · Accepted Answer · answered Sep 06 '13 at 09:02

Finally, I found out what the problem was. As I developed this application for Internet Explorer there was some tricky things to make it work. As you can see in this picture: this there is "The security certificate presented by this website was issued for a different website's address" warning. The thing is that Internet Explorer ALWAYS warns users about this by default and this is the problem which prevents flash player from downloading flash policy file (crossdomain.xml). To override this behaviour you just need to:

Go to the Internet Explorer settings: Click cogwheel icon -> Internet options
Go to advanced tab
Scroll down to the end of the settings list and uncheck "Warn about certificate address mismatch".
IMPORTANT: Kill all instances of IE (if any, check in the Task Manager).
After these steps flash shouldn't have problems with fetching crossdomain.xml.

Really hope that this will help other flex developers avoid such type of issues. Cheers!

score 0 · Answer 2 · answered Aug 30 '13 at 17:34

0

Have you tried Security.allowDomain()?

answered Aug 30 '13 at 17:34

CodeMonkey

174
10

I have `Security.allowDomain("*");` in my code, but AFAIK this code have nothing common with the problem I have. – mr.nothing Aug 30 '13 at 18:25
Yes, allowDomain allows on client side, crossdomain allows on server side – csomakk Sep 03 '13 at 07:18

score 0 · Answer 3 · answered Sep 03 '13 at 21:16

I had similar problem. It was a little bit different because I had sockets involved, but I found that there are some changes in how the flash player uses policy files. You may find this helpful http://www.adobe.com/devnet/flashplayer/articles/socket_policy_files.html At least it helped me and I wrote this article, which is like conclusion of my case.

Take a look at this paragraph:

Adobe has filed with IANA, the Internet Assigned Numbers Authority, to reserve port 843 for the purposes of serving socket policy files. By introducing a centralized location for socket policy files, Flash Player enables a system administrator to define what ports are available through one master policy that overrides any other policy file on the host. If Flash Player 9,0,124,0 cannot retrieve a master policy file from port 843, then it requests a socket policy file on the port where it is trying to connect. However, if a policy file is available from a service on TCP port 843, then Flash Player considers that to be the authoritative set of permissions for that system.

In my project I just serve the crossdomain.xml file in a specific port.

I actually have flash web socket impementation in my web app to make sockets work in IE and these web sockets fetch crossdomain over xmlsocket://. But in the subject issue, as resource is accessed via https://, crossdomain.xml **must** be fetched via https:// as well. See resolution of the subject issue in accepted answer, if interested. — mr.nothing, Sep 06 '13 at 09:05

score 0 · Answer 4 · answered Dec 17 '13 at 20:24

I had a similiar problem; the .swf on localhost was connecting with REST API over https on a remote server, which had a crossdomain file, but it was throwing 2170. For me the solution was to serve the localhost .html file containing the .swf also on https - that made the problem go away.

flash: crossdomain.xml is ignored

4 Answers4