Does anyone know if the crossdomain policy file at salesforce.com has changed?

Question

Suddenly my Flex Apps can no longer connect to salesforce.com via its API, I am getting a security sandbox violation. Login credentials are correct, I have tried them via a different means, and I have obfuscated them below.

This was working fine earlier today and I have not been coding since then.

Anyone else come across this or know what's going on?

Here is the exception returned to my app

Method name is: login
'A997F86A-36E9-DDDC-EC6B-BBEE23101466' producer connected.
'A997F86A-36E9-DDDC-EC6B-BBEE23101466' producer sending message 'B89E5879-D7F7-E91E-2082-BBEE231054DD'
'direct_http_channel' channel sending message:
(mx.messaging.messages::HTTPRequestMessage)#0
  body = "<se:Envelope xmlns:se="http://schemas.xmlsoap.org/soap/envelope/"><se:Header xmlns:sfns="urn:partner.soap.sforce.com"/><se:Body><login xmlns="urn:partner.soap.sforce.com" xmlns:ns1="sobject.partner.soap.sforce.com"><username>simon.palmer@***.com</username><password>***</password></login></se:Body></se:Envelope>"
  clientId = (null)
  contentType = "text/xml; charset=UTF-8"
  destination = "DefaultHTTPS"
  headers = (Object)#1
  httpHeaders = (Object)#2
    Accept = "text/xml"
    SOAPAction = """"
    X-Salesforce-No-500-SC = "true"
  messageId = "B89E5879-D7F7-E91E-2082-BBEE231054DD"
  method = "POST"
  recordHeaders = false
  timestamp = 0
  timeToLive = 0
  url = "https://www.salesforce.com/services/Soap/u/11.0"
Method name is: login
*** Security Sandbox Violation ***
Connection to https://www.salesforce.com/services/Soap/u/11.0 halted - not permitted from https://localhost/pm_server/pm/pm-debug.swf
'A997F86A-36E9-DDDC-EC6B-BBEE23101466' producer acknowledge of 'B89E5879-D7F7-E91E-2082-BBEE231054DD'.
'A997F86A-36E9-DDDC-EC6B-BBEE23101466' producer fault for 'B89E5879-D7F7-E91E-2082-BBEE231054DD'.
Comunication Error : Channel.Security.Error : Security error accessing url : Destination: DefaultHTTPS
Error: Request for resource at https://www.salesforce.com/services/Soap/u/11.0 by requestor from https://localhost/pm_server/pm/pm-debug.swf is denied due to lack of policy file permissions.

Answer 1

You have to make sure to load the policy from the /services tree, the default policy at the root won't help you. You need to load this policy https://www.salesforce.com/services/crossdomain.xml

Answer 2

The solution to this problem was to set the server protocol and url as follows:

apex = new Connection();    
apex.serverUrl = "https://na3.salesforce.com/services/Soap/u/14.0";
apex.protocol = "https";

However, this seems to create a secondary issue of users being locked out, so the issue of non-connectivity remains.

Update: salesforce.com have acknowledged a bug. See my other related post.

Answer 3

I resolve this issue accessing to the Flash Player Configuration Panel(I just recommend it in a development environment), in the "Global Security" tab, select Always Allow.

Regards.

Answer 4

Did you recently upgrade to flash player 10? Flash player 10 changes the way policy files work to some degree, and the crossdomain.xml file needs to be updated to address this. In short, Salesforce.com probably isn't prepared for users upgrading to Flash Player 10 yet.

Answer 5

I am uploading a file from flex to Google docs. Everything is working in the local file however, when we upload the SWF file as S-controls in Salesforce (sandbox), an error appears upon connecting to Google. Please see error below:

Error:[FaultEvent fault=[RPC Fault faultString="Security error accessing url"
faultCode="Channel.Security.Error" faultDetail="Destination: DefaultHTTPS"] 
messageId="1F812836-1318-B845-AC01-F51AB1D11518" type="fault" bubbles=false 
cancelable=true eventPhase=2]

We tried the following solutions below but nothing seems to work: FLEX: - Add the crossdomain.xml in the bin-debug folder: below is the content of the cross domain policy.

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
     <allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

• Used flash.system.security.allowinsecuredomain/allowdomain(“*”) in the initialization.
• Also tried in the connection.protocol set to http Salesforce:
• Disabled the protocol security in the remote site settings o Setup -> Administration Setup -> Security Controls -> Remote Site Settings  URL: http://www.google.com.ph

There’s no problem in connection to Salesforce but upon initialization of the uploading page the security error will appear specifically in the onErrorFault function. Below are code snippets:

<?xml version="1.0" encoding="utf-8"?>
<mx:TitleWindow xmlns:mx="http://www.adobe.com/2006/mxml" layout="vertical" width="534" height="462" verticalScrollPolicy="off" horizontalScrollPolicy="off"
creationComplete="init()" showCloseButton="true" close="{this.closeWindow(event)}" roundedBottomCorners="true">
<mx:Script>
<![CDATA[

private function init():void{
        Security.allowInsecureDomain("*");
        //<salesforce:Connection id="apex" sendRequest="sendRequestListener(event)" serverUrl="http://www.salesforce.com/services/Soap/u/10.0" protocol="http"/>   
        RESTProxyTest();
        send_data();
        arrAddedFiles = new Array();
        this.uploadGrid.dataProvider= this.acFiles; 
        this.title = "Attachment: "+this.selectedTimeSheetDetail.Project.label;
}

public function RESTProxyTest():void
    {
        _conn = new NetConnection();
        _conn.addEventListener(AsyncErrorEvent.ASYNC_ERROR, doAsyncError);
        _conn.addEventListener(IOErrorEvent.IO_ERROR, doIOError);
        _conn.addEventListener(SecurityErrorEvent.SECURITY_ERROR, doSecurityError);
        _conn.addEventListener(NetStatusEvent.NET_STATUS, doNetStatus);
        _conn.objectEncoding = ObjectEncoding.AMF3;

        _conn.connect(_url);
        _responder = new Responder(onResult, onFault);  

    }

private function send_data():void {
        userRequest.url = getLoginURL();
        userRequest.addEventListener(ResultEvent.RESULT, httpResult);
        userRequest.addEventListener(FaultEvent.FAULT, onErrorFault); 
        userRequest.send();
    } 

private function onErrorFault(obj:FaultEvent):void
    {
        Alert.show("Error:"+obj.toString());
    }

private function httpResult(obj:ResultEvent):void
    {
        trace(obj.toString());

        var result:String = obj.result as String;       
        var pos:int = result.lastIndexOf("Auth=");
        var auth:String = result.substr(pos + 5);
        txtAuth.text = StringUtil.trim(auth);
        placeCall();
    }

protected function placeCall():void
    {
        trace("placeCall");
        var headers:Array = ["Authorization: " + "GoogleLogin auth=" + StringUtil.trim(txtAuth.text)];
        var postVars:Array = [];         
        var uri:String = "http://docs.google.com/feeds/documents/private/full?showfolders=true"; 
        _conn.call("RESTProxy.request", _responder, uri, "get", new Array(), postVars, headers);
    }

private function getLoginURL():String
    {
        var url:String = 'https://www.google.com/accounts/ClientLogin?accountType=HOSTED_OR_GOOGLE&' +
        'Email=' + this.session.config.gmail + '&' +
        'Passwd=' + this.session.config.password + '&service=writely'; 

        return url;
    }   
]]>
</mx:Script>

<mx:HTTPService id="userRequest" useProxy="false" method="POST" contentType="application/x-www-form-urlencoded" showBusyCursor="true"/>