Writing Flash crossdomain.xml for Amazon S3

Question

I have two servers. Server A is an internal server that has access from the outside world set up here in my office. It has a Rails server running on it. I have a second server, Server B, that contains all our static content (images, swfs, javascript, css, etc.), it is an Amazon S3 server. I have given all these files public access.

What I am attempting is to put a swf from Server B on a page served by Server A. Then, the other assets that the swf requires in order to display get dynamically loaded from Server B. Unfortunately, however, somewhere along the way it's failing and the files that are requested to be dynamically loaded just never arrive.

Based on errors in my browser console the swf is expecting a crossdomain.xml file to be on Server A. Based on this, it also needs one to be on my S3 server. So, that being the case I have created two crossdomain.xml files, one for each server.

This is Server A's crossdomain.xml file:

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM
  "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
  <allow-access-from domain="s3-bucket-name.s3.amazonaws.com" />
</cross-domain-policy>

This is Server B's crossdomain.xml file:

<?xml version="1.0" encoding="UTF-8"?>    
<!DOCTYPE cross-domain-policy SYSTEM
  "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
  <site-control permitted-cross-domain-policies="master-only"/>
  <allow-access-from domain="*.server-a.com"/>
  <allow-http-request-headers-from domain="*.server-a.com" headers="SOAPAction"/>
</cross-domain-policy>

Additionally, I am explicitly loading Server B's crossdomain.xml file in my swf:

Security.loadPolicyFile("https://s3-bucket-name.s3.amazonaws.com/crossdomain.xml");

No matter what I do, however, it just does not work. I'm not sure what else to try. I've tried looking through a number of the solutions here on SO but nothing has helped me resolve my problem yet. Surely someone else has had more experience in this than I have and can give me some guidance, I'm pretty much out of ideas at this point.

Update Updating my question with some more info.

I tried setting both policy files to * and it started working until it hit:

SecurityError: Error #2121: Security sandbox violation: Loader.content: s3.amazonaws.com/bucket_name/swfs/foo.swf cannot access s3.amazonaws.com/bucket_name/data/swfs/bar.swf. This may be worked around by calling Security.allowDomain.

Additionally, I ran Charles and it is pulling the crossdomain.xml from both my local server but I don't see it for s3.

Update 2 I tried adding this to the loader:

var context:LoaderContext = new LoaderContext();
context.securityDomain = SecurityDomain.currentDomain;
context.applicationDomain = ApplicationDomain.currentDomain;
Loader.load(new URLRequest(_dataFile), context);

This resulted in the files actually downloading! Unfortunately now it crashes out with this:

SecurityError: Error #2119: Security sandbox violation: caller s3.amazonaws.com/bucket_name/swfs/MainSwf.swf cannot access LoaderInfo.applicationDomain owned by s3.amazonaws.com/bucket_name/data/swfs/foo/SecondSwf.swf

I've tried including/not including the context.applicationDomain = ApplicationDomain.currentDomain; line but that hasn't resolved the issue.

Where the crash is actually occurring is at a later time after the file is loaded where we are getting the applicationDomain: loader_.contentLoaderInfo.applicationDomain.getDefinition( def.a )

(1) Are you using URLLoader, or is it Loader? (2) Change both files to domain="*" and see what happens. (3) Run Charles or some other local proxy server and see if the files are being requested (and served). — Manish, Mar 02 '12 at 04:28
1. Loader; 2. I just tried this, it started loading until it did this: SecurityError: Error #2121: Security sandbox violation: Loader.content: http://s3.amazonaws.com/bucket_name/swfs/foo.swf cannot access https://s3.amazonaws.com/bucket_name/data/swfs/bar.swf. This may be worked around by calling Security.allowDomain. — keybored, Mar 02 '12 at 17:10
Additionally, I ran Charles and it is pulling the crossdomain.xml from both my local server but I don't see it for s3. — keybored, Mar 02 '12 at 17:19

score 1 · Answer 1 · answered May 01 '12 at 20:29

1

Solved, finally. Make sure you're using the bucket name as the subdomain for both the Policy file loading, and every file / URL request.

Solution:

http://onegiantmedia.com/cross-domain-policy-issues-with-flash-loading-remote-data-from-amazon-s3-cloud-storage

answered May 01 '12 at 20:29

OG Sean

971
8
18

+1 This solved our issue. Good link. The putting the bucket name first in the link to crossdomain.xml fixed things. What an obscure way to finally solve something. This tip should be better documented. – Bill Rosmus Mar 16 '13 at 22:28

John Himmelman · Answer 2 · 2012-03-02T18:26:26.137

1

Make sure the mime type of crossdomain.xml is set to application/xml. Flash will not load the policy file if the mime type isn't set correctly. Checkout CloudBerry's free s3 client, it's pretty good at detecting/setting the correct mimetype, its possible the s3 client you're using didn't set it correctly.

Edit: Apache, and other webservers, detect a file's mime type and return it in the response headers - so this issue doesn't normally come up in local testing

edited Mar 02 '12 at 18:26

answered Mar 02 '12 at 18:15

John Himmelman

21,504
22
65
80

Does this get set in the xml file itself? – keybored Mar 02 '12 at 18:18
No, its set when you upload the file to s3 (you need to manually set the content-type header). Apache automatically detects a file's mime type and returns it in the Content-Type header. – John Himmelman Mar 02 '12 at 18:20

score 0 · Accepted Answer · answered Mar 03 '12 at 17:06

0

It looks like you have a.swf and b.swf on different domains, and a.swf is trying to access the content of b.swf (via Loader.content), and no doubt it's failing with a security error.

You have two options:

Load b.swf in the same security domain as a.swf (i.e. the "current" security domain). You can do this in a.swf's code by passing a new LoaderContext to Loader.load() and setting the loaderContext.securityDomain = SecurityDomain.currentDomain
Explicity allow a.swf to access b.swf by calling Security.allowDomain() in b.swf's code with a.swf's domain name as the parameter

Which one you choose depends on other considerations. With the first one, b.swf is able to do what a.swf can do (everything!) in terms of cross-domain security (i.e. access files, etc.); with the second one, any SWF file on a.swf's domain is able to access b.swf's content. It really depends how you want to set up the trust.

answered Mar 03 '12 at 17:06

Manish

3,472
1
17
16

As for your first suggestion, are there any security considerations I should be aware of if I did that? – keybored Mar 03 '12 at 20:09
I went ahead and tried the first suggestion, it actually loaded the files! But now it crashes with this: SecurityError: Error #2119: Security sandbox violation: caller http://s3.amazonaws.com/bucket_name/swfs/MainSwf.swf cannot access LoaderInfo.applicationDomain owned by https://s3.amazonaws.com/bucket_name/data/swfs/foo/SecondSwf.swf. – keybored Mar 03 '12 at 20:29
@keybored with first suggestion, question to ask yourself is: would I host b.swf on a.swf's domain? (i.e. if b.swf is developed by a third party that you don't trust, then it's best you didn't.) – Manish Mar 03 '12 at 21:02
Both swfs are internally developed. Also, please see Update 2 in the main question to see how I'm getting the error. – keybored Mar 03 '12 at 21:11
@keybored where is `getDefinition()`, in main SWF or loaded SWF? Also, get rid of `ApplicationDomain.currentDomain` if not required. – Manish Mar 03 '12 at 21:22
getDefinition() is being called in the main swf – keybored Mar 03 '12 at 21:28

Writing Flash crossdomain.xml for Amazon S3

3 Answers3

Linked