Problems with cross-domain.xml files in Flash 10

Question

I feel as though I am banging my head against a wall on this one. I have tried (I think) every variation on a cross-domain xml file with no success. I just cannot seem to make my cross-domain Loader() requests work, no matter what I try. Here is the output from my policyfiles.txt log file

OK: Root-level SWF loaded: http://cool.com:81/WEBPLAYERAS3.swf
OK: Searching for <allow-access-from> in policy files to authorize data loading from resource at https://replayservice2.secretdomain.com/api/servlet/screenshot/0.8/1.0/9175218823c9438aa322cdb767561dbd.jpg by requestor from http://cool.com:81/WEBPLAYERAS3.swf
OK: Searching for <allow-access-from> in policy files to authorize data loading from resource at https://replayservice2.secretdomain.com/api/servlet/screenshot/0.8/1.0/a61d36278cc44cd1a0b8fa10f3edc914.jpg by requestor from http://cool.com:81/WEBPLAYERAS3.swf
OK: Searching for <allow-access-from> in policy files to authorize data loading from resource at https://replayservice2.secretdomain.com/api/servlet/screenshot/0.8/1.0/ba8d7a1701954a6cb03e7aaf12a26a2b.jpg by requestor from http://cool.com:81/WEBPLAYERAS3.swf
OK: Searching for <allow-access-from> in policy files to authorize data loading from resource at https://replayservice2.secretdomain.com/api/servlet/screenshot/0.8/1.0/91f6f184518247f0916692286dd7101a.jpg by requestor from http://cool.com:81/WEBPLAYERAS3.swf
OK: Policy file accepted: https://replayservice2.secretdomain.com/crossdomain.xml
Error: Request for resource at https://replayservice2.secretdomain.com/api/servlet/screenshot/0.8/1.0/9175218823c9438aa322cdb767561dbd.jpg by requestor from http://cool.com:81/WEBPLAYERAS3.swf is denied due to lack of policy file permissions.
Error: Request for resource at https://replayservice2.secretdomain.com/api/servlet/screenshot/0.8/1.0/a61d36278cc44cd1a0b8fa10f3edc914.jpg by requestor from http://cool.com:81/WEBPLAYERAS3.swf is denied due to lack of policy file permissions.
Error: Request for resource at https://replayservice2.secretdomain.com/api/servlet/screenshot/0.8/1.0/ba8d7a1701954a6cb03e7aaf12a26a2b.jpg by requestor from http://cool.com:81/WEBPLAYERAS3.swf is denied due to lack of policy file permissions.
Error: Request for resource at https://replayservice2.secretdomain.com/api/servlet/screenshot/0.8/1.0/91f6f184518247f0916692286dd7101a.jpg by requestor from http://cool.com:81/WEBPLAYERAS3.swf is denied due to lack of policy file permissions.
OK: Searching for <allow-access-from> in policy files to authorize data loading from resource at https://replayservice2.secretdomain.com/api/servlet/screenshot/0.8/1.0/9175218823c9438aa322cdb767561dbd.jpg by requestor from http://cool.com:81/WEBPLAYERAS3.swf
Error: Request for resource at https://replayservice2.secretdomain.com/api/servlet/screenshot/0.8/1.0/9175218823c9438aa322cdb767561dbd.jpg by requestor from http://cool.com:81/WEBPLAYERAS3.swf is denied due to lack of policy file permissions.
OK: Searching for <allow-access-from> in policy files to authorize data loading from resource at https://replayservice2.secretdomain.com/api/servlet/screenshot/0.8/1.0/9175218823c9438aa322cdb767561dbd.jpg by requestor from http://cool.com:81/WEBPLAYERAS3.swf
Error: Request for resource at https://replayservice2.secretdomain.com/api/servlet/screenshot/0.8/1.0/9175218823c9438aa322cdb767561dbd.jpg by requestor from http://cool.com:81/WEBPLAYERAS3.swf is denied due to lack of policy file permissions.

and here is my crossdomain.xml file:

<cross-domain-policy xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<allow-access-from domain="*" secure="true"/>
<site-control permitted-cross-domain-policies="master-only"/>
</cross-domain-policy>

Note that the actual domains have been replaced with secretdomain.com.

All I'm doing is retrieving images in AS3 and assigning them to bitmaps.

UPDATE:

The issue only seems to occur when calling our secure server from an insecure server. Is this just forbidden, or is there a way around this?

I should also mention that my crossdomain.xml file is located at: https://replayservice2.secretdomain.com/crossdomain.xml — whitehawk, Apr 26 '11 at 01:40

score 3 · Answer 1 · answered Apr 25 '12 at 13:29

Your update there is the answer to your entire problem:
"The issue only seems to occur when calling our secure server from an insecure server. Is this just forbidden, or is there a way around this?"

Especially when we look at the important part of your policy file:

<allow-access-from domain="*" secure="true"/>

That 'secure=True' part means that you are quite specifically not allowed to call mix-n-match secured and unsecured connections, they have to all be secure. By having that 'true' value in there, you're the one who is forbidding it. The way around it is, of course, to set it to 'secure=False' as in several of the other policy files that have been posted here.

score 2 · Answer 2 · edited Aug 30 '16 at 07:45

If u try to communicate from http port to https port you will get "swf is denied due to lack of policy file permissions " to avoid this type of errors you can include the following tag in crossdomain.xml

  < allow-access-from domain="*" secure="false" to-ports="*" >

This solves "Security Sandbox Violation"

In case if you get a warning msg " does not specify a meta-policy. Applying default meta-policy 'master-only'." place the following tag in crossdomain.xml

 < site-control permitted-cross-domain-policies="all" >

score 1 · Answer 3 · answered Apr 26 '11 at 02:08

I've included our cross domain policy if it helps. The Only thing we do differently is the site-control tag.

<cross-domain-policy xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
   <site-control permitted-cross-domain-policies="all"/> 
   <allow-http-request-headers-from domain="*"/> 
   <allow-access-from domain="*" secure="false" to-ports="*"/>
</cross-domain-policy>

score 0 · Answer 4 · answered Jan 16 '14 at 04:44

Apart from setting the secure="false" in the 'allow-access-from' tag, also set secure="false" in the 'allow-http-request-headers-from' tag. Your crossdomain.xml should look like this-

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
<allow-http-request-headers-from domain="*" headers="SOAPAction"  secure="false"/>
</cross-domain-policy>

score 0 · Answer 5 · answered Apr 26 '11 at 01:52

0

I'm an ActionScript noobie, but does the Security.allowDomain("domain.com") do the trick?

answered Apr 26 '11 at 01:52

Oliver Spryn

16,871
33
101
195

score 0 · Answer 6 · answered Apr 26 '11 at 03:01

0

I see in the stuff you posted

OK: Root-level SWF loaded: http://cool.com:81/WEBPLAYERAS3.swf

This tells me your swf is being loaded on port 81
What port are you dishing out the crossdomain on? This is very important that you have one on every port you are using.

answered Apr 26 '11 at 03:01

The_asMan

6,364
4
23
34

Well the swf that is calling OUT is on port 81, but the server we are calling out TO is on port 80. – whitehawk Apr 28 '11 at 22:27
then you need a crossdomain file on the root of the server on port 80 – The_asMan Apr 28 '11 at 22:40
Oh wait a second your swf is on http port 81 and you are trying to call up https port 80? – The_asMan Apr 28 '11 at 23:15
Sorry I guess Https is 443 by default then. But yeah - http port 81 to https port 443. – whitehawk May 01 '11 at 22:31
Your best bet is to get the swf to load from the https on port 80. If you can't do that on the https server port 80 in the server root supply the cross domain there and specify cool.com on port 81 is allowed. Repost any errors after that – The_asMan May 02 '11 at 16:37
https is not port 443. port 443 is default fall back for cross doamin policy. https is any port you configure it do be( in your case 80 ). https is a protocol – The_asMan May 02 '11 at 16:46

Problems with cross-domain.xml files in Flash 10

6 Answers6