1

I have been loading the YouTube AS3 player with Flex like this:

private function vid_completeHandler():void{
        player:Object = new Object;
        ...
        player = vid.content;
    }

<controls:SWFLoader id="vid"
    complete="vid_completeHandler()"
    source="http://www.youtube.com/apiplayer?version=3"/>

There have always been an unstoppable stream of messages about sandbox errors in the console (Flash Builder & Flashdevelop), but the code worked regardless.

Something has now changed and the player throws an error on loading:

Warning: Domain gdata.youtube.com does not explicitly specify a meta-policy, but Content-Type of policy file http://gdata.youtube.com/crossdomain.xml is 'text/x-cross-domain-policy'. Applying meta-policy 'by-content-type'.

[SWF] /yts/swfbin/player-vfl7UxYqE/apiplayer3.swf - 465,000 bytes after decompression
*** Security Sandbox Violation ***
SecurityDomain 'http://localhost/myDomain/bin_debug/myapp.html?debug=true' tried to access incompatible context 'https://s.ytimg.com/yts/swfbin/player-vfl7UxYqE/apiplayer3.swf'

***Security Sandbox Violation***
SecurityDomain 'https://www.youtube.com/apiplayer?version=3' tried to access incompatible context 'https://s.ytimg.com/yts/swfbin/player-vfl7UxYqE/apiplayer3.swf'

SecurityError: Error #2121: Security sandbox violation: Loader.content: https://www.youtube.com/apiplayer?version=3 cannot access https://s.ytimg.com/yts/swfbin/player-vfl7UxYqE/apiplayer3.swf. This may be worked around by calling Security.allowDomain.

at flash.display::Loader/get content()
at com.google.youtube.application::SwfProxy/onRequestParameters()
at flash.events::EventDispatcher/dispatchEventFunction()
at flash.events::EventDispatcher/dispatchEvent()
at com.google.youtube.model::YouTubeEnvironment()
at com.google.youtube.application::VideoApplication/createYouTubeEnvironment()
at com.google.youtube.application::VideoApplication/onLoaderInfoInit()
Warning: Domain i.ytimg.com does not explicitly specify a meta-policy, but Content-Type of policy file http://i.ytimg.com/crossdomain.xml is 'text/x-cross-domain-policy'. Applying meta-policy 'by-content-type'.

I have tried to circumvent this with AS3, but cannot fix it:

var current:ApplicationDomain = ApplicationDomain.currentDomain;
var context:LoaderContext = new LoaderContext();
context.applicationDomain = new ApplicationDomain(current);
var urlLoader:Loader  = new Loader();
var url:String = "http://www.youtube.com/apiplayer?version=3";
urlLoader.load(new URLRequest(url), context);

I have have all the necessary Security.allowDomain calls and have tried other options like these:

Security.loadPolicyFile("http://www.youtube.com/crossdomain.xml");
urlLoader.dataFormat = URLLoaderDataFormat.BINARY;
context.securityDomain = SecurityDomain.currentDomain; 
context.allowCodeImport=true;

Is there any way I can prevent his error? Any change that Google/YouTube could have made to cause this?

Edited: YouTube player was not loading at all. This was because I had incorrectly moved the 'player = vid.content' line when trying to fix the security error.

Mr.Oz
  • 367
  • 4
  • 16
  • I tried your 1st code, and it's working fine. I'm using FB 4.5 with Flex 4.5 and I tested it with Flash Player 16 (debug version) and I got security error but the player is not null, and with Flash Player 13 (for tests) normal version without problem. So could you give us more details about your test environment or any information that can have influence to get that behavior ? – akmozo Jan 20 '15 at 07:28
  • I am editing my post because player is no longer null. This was caused by careless editing when trying to fix security error. I am using FB 4.6 with Flex 4.12 and Flash Player 16. This combination was working until about 9 days ago. I have not changed Flash settings or anything else that might affect security. user3646544's post seems to confirm that the problem is with Google/YouTube. Because cross-site scripting security is now coded into the runtime I doubt I have any influence over it. – Mr.Oz Jan 24 '15 at 17:13
  • Take a look on [my answer in this question](http://stackoverflow.com/a/28108815/2256820). – akmozo Jan 24 '15 at 18:39

0 Answers0