YouTUBE API for Flash not working

Question

We have a browser flash application which loads the YouTube Embedded AS3 Player to play some YouTube videos (https://developers.google.com/youtube/flash_api_reference)

Yes I know the Flash API is deprecated, Flash is dying, etc. but it is currently the only practical platform for our complex 3D graphic authoring tool, which just as one feature plays YouTube videos; and it would be crazy to force our customers to host their videos on Vimeo to answer this problem.

Everything has been working fine so far (no changes in code or server), until 2 weeks ago, where we were not able to play YouTube videos from the app.

I found that the url format we were using so far was giving a file not found error:

http://www.youtube.com/v/<my video code>?version=3&autoplay=1

After investigating a bit, it seems that Google updated their API Services terms of service.

So following some directions in their page, I changed http to https:

https://www.youtube.com/v/<my video code>?version=3&autoplay=1

When my app tries to load the YouTube player using that url, the Event.COMPLETE event is fired and the player data seems to be loaded fine, but in this part where the YouTube player is assigned to a var:

private function onLoaderComplete(e:Event):void {
    var player = e.currentTarget.content;
    ....
}

It throws the following error:

*** Security Sandbox Violation ***
SecurityDomain http://<my app url> tried to access incompatible context 'https://www.youtube.com/v/<my video code>?version=3&autoplay=1'
SecurityError: Error #2121: Security sandbox violation: LoaderInfo.content: http://<my app url> cannot access https://www.youtube.com/v/<my video code>?version=3&autoplay=1. This may be worked around by calling Security.allowDomain.

I have set all the Security.allowDomain and Security.allowInsecureDomain I can think of (*.youtube.com, *.ytimg.com, https ://www.youtube.com, https://s.ytimg.com, etc. and any variation of http and https I can think of). So I don't think this is the problem.

I tried the solution in this thread, where it recommends to use this line to solve Error #2121:

loaderContext.securityDomain = SecurityDomain.currentDomain;

Now it doesn't even fire the Event.COMPLETE event. Only a SecurityErrorEvent.SECURITY_ERROR event, so no content is loaded:

*** Security Sandbox Violation ***
Connection to https://www.youtube.com/v/<my video code>?version=3&autoplay=1 halted - not permitted from http://<my app url>
httpStatus (error): [HTTPStatusEvent type="httpStatus" bubbles=false cancelable=false eventPhase=2 status=0 redirected=true responseURL=null]
SecurityError: 
[SecurityErrorEvent type="securityError" bubbles=false cancelable=false eventPhase=2 text="Error #2048: Security sandbox violation: http://<my app url> cannot load data from https://www.youtube.com/v/<my video code>?version=3&autoplay=1."]

So I think this is a step backwards.

I thought it may be an HTTP to HTTPS issue, but on the other hand, loading the YouTube Chromeless AS3 player API directly (without play/stop and time line controls), works fine:

https://www.youtube.com/apiplayer?version=3&video_id=<my video code>

Any useful hint will be appreciated.

Answer 1

You got the error Security Sandbox Violation because you are trying to access a web/server file from a local file on your computer which Adobe security does not like. Check out this link

Found also this thread which states that this can happen when the sandbox is configured to be used one way, but is being used in another way by mistake.

Check these related links:

• Security Sandbox Violation with Youtube API
• Security Sandbox Violation Flash AS3

Answer 2

I ran into the same problem. It seems that Youtube now has a more restricted version of the crossdomain.xml (https://www.youtube.com/crossdomain.xml):

<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="s.ytimg.com" />

whereas it should be

<allow-access-from domain="*" />