0

In code I use this before URLLoader (swf will be used with many different domains and this will be changing in time):

Security.allowDomain("*");

In http://domain.com/crossdomain.xml, I have this for test:

<?xml version="1.0" ?>
<cross-domain-policy>
  <site-control permitted-cross-domain-policies="master-only"/>
  <allow-access-from domain="*"/>
  <allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

I am trying to access http://domain.com/files/filename.bin and still get security error.

Ok, I used crossdomainmaker.com to create access for any domain (for test) and copied it directly into file server and also test if domain.com/crossdomain.xml is accessible. I checked flashlog.txt and found that domain.com/crossdomain.xml is loaded but will be ignored because of its syntax error - its generated by crossdomainmaker website and also correct with specifications and examples over internet, so what can I do?

speedy
  • 129
  • 5
  • 14
  • Have you tried using firebug or something similar to look at the files your SWF is trying to load, and any errors that may pop up? – Jonatan Hedborg Mar 15 '12 at 11:41
  • URLLoader gets standard security error, because of different domain for swf and file to load. But like I said, domain with file has its crossdomain.xml file in root with full allow. – speedy Mar 15 '12 at 12:08
  • Not the flash error - the HTTP error codes in firebug. You can see where it's trying to download the crossdomain from etc. – Jonatan Hedborg Mar 15 '12 at 12:19
  • Do you have the crossdomain.xml on your application server or on the remote server? From your example, it looks like the crossdomain.xml and filename.bin are on the same domain. – Corey Mar 15 '12 at 14:20
  • Yes, crossdomain.xml is on same server as files. I cant put anything other than only swf file on application server. I want my external file server to allow access to hosted files for any swf file. What should I do more to make it? – speedy Mar 15 '12 at 14:32

1 Answers1

1

Cross-domain policy errors are always a pain in the ass. Can you post the exact error and when you're getting it. Also, turn on policy logging: http://help.adobe.com/en_US/flex/using/WS2db454920e96a9e51e63e3d11c0bf69084-7ec4.html

With that, you can see if the file is being loaded, if it's being superseeded by another one, or roughly why it's being rejected.

In the meantime, some links that might be useful.

Cross-domain policy spec: http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html (explains exactly what's going on behind the scenes)

Cross-domain maker: http://www.crossdomainmaker.com/ (easy policy file syntax)

Some security tips when dealing with cross-domain: http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html#articlecontentAdobe_numberedheader_3

Btw, setting a policy of "*" is a huge security hole.

divillysausages
  • 7,883
  • 3
  • 25
  • 39
  • Ok, I used http://www.crossdomainmaker.com/ to create access for any domain (for test) and copied it directly into file server and also test if domain.com/crossdomain.xml is accessible. I checked flashlog.txt and found that domain.com/crossdomain.xml is loaded but will be ignored because of its syntax error - its generated by crossdomainmaker website and also correct with specifications and examples over internet, so what can I do? – speedy Mar 16 '12 at 05:44
  • does it give you an idea of the syntax error? can you post it here? – divillysausages Mar 16 '12 at 09:02
  • Nope, it only said that crossdomain.xml will be ignored because of its syntax error and gives me dead link to adobe documentation (all in my native language, not english). But I solved my problem. Something wrong in crossdomain.xml file I posted in question. This one from crossdomainmaker works now, but I had to completly clear any cache, because also browser restart was not enough. I forgot about this little issue. Thanks for all links, that was very helpful. – speedy Mar 16 '12 at 10:34