How do I fix this cross-domain ActionScript 3 error?

Question

I'm going to be as specific and verbose as possible and include some of the code I'm using. I already did a search and found this question, which seems similar; however the author there was using ActionScript 2 instead of 3, and I couldn't seem to apply any of the answers given to my own situation effectively.

I am trying to emulate (in a limited way) the behavior of JavaScript's XMLHttpRequest object through Flash/ActionScript 3, in order to overcome the same-domain limitation. But I'm discovering that ActionScript has its own limitations in that regard. I admit that I might be mistaken, but from what I understand it is theoretically still possible to do this sort of cross-domain scripting using ActionScript, so long as you get all the permissions right. And that's where I'm running into trouble.

First, I borrowed some open-source code for a class called AjaxRequest, which I have saved as /ajax/AjaxRequest.as. I then created a Flash file called /jsajax.fla which exports to the final SWF file, /jsajax.swf. Now, here's the ActionScript code that comprises the first and only frame of the Flash file:

import ajax.AjaxRequest;
Security.allowDomain("domainone.com");
Security.allowDomain("domaintwo.com");

function jsAjax(stringURL:String, stringMethod:String, stringData:String):void
{
 var xhr:AjaxRequest = new AjaxRequest(stringURL);
 xhr.contentType = "application/x-www-form-urlencoded";
 xhr.dataFormat = URLLoaderDataFormat.TEXT;

 if ( stringMethod.toUpperCase() == "POST" ) {
  xhr.method = URLRequestMethod.POST;
 } else {
  xhr.method = URLRequestMethod.GET;
 }

 xhr.addEventListener("complete", jsAjaxResponse);
 xhr.send(stringData);
 return;
}

function jsAjaxResponse(evt:Event):void
{
 ExternalInterface.call("jsAjaxResponse", evt.currentTarget.data.toString());
 return;
}

ExternalInterface.addCallback("jsAjax", jsAjax);
ExternalInterface.call("jsAjaxReady");

So far so good. I have a feeling that one or more of those Security.allowDomain calls are not needed, but they were my (unsuccessful) attempts to try to solve this problem.

In my JavaScript, I've got three functions defined: jsAjax, jsAjaxResponse, and jsAjaxReady. The last one is just a very basic function used to indicate that the Flash object loaded successfully (which is only called once and immediately upon loading it), while the other two are used for sending and receiving the data. As you can see, they have corresponding ActionScript counterparts.

Finally, I created a simple HTML page called /test.html that embeds this SWF file (using swfobject) and has a couple of simple form controls for calling the jsAjax function. All of my JavaScript definitions are embedded in this HTML file too. I also created a very simple PHP script called /test.php that prints out the contents of the $_REQUEST array. That's the script I intend to request using this ajax method.

There are three scenarios that I tested, but I was only able to get two of them working:

---

SCENARIO ONE: All on one server
If I upload all of these files to domainone.com, and then request test.php, it works fine. My file/folder structure then looks like this:

domainone.com/jsajax.swf
domainone.com/test.html
domainone.com/test.php

Again, this works. The jsAjaxResponse function receives back the data from test.php just fine.

---

SCENARIO TWO: On both servers, leaning left
When I uploaded the HTML and SWF to the first server, and then just have it call the PHP script on the second server, it didn't work right away. I did some digging, and found that by creating a crossdomain.xml file on domaintwo.com that granted access to domainone.com, this fixed it. So my file/folder structure looked like this:

domainone.com/jsajax.swf
domainone.com/test.html
domaintwo.com/test.php
domaintwo.com/crossdomain.xml

When explicitly allowing domainone.com in the crossdomain.xml file, this works. Again, the jsAjaxResponse function receives back the data from test.php just fine.

---

SCENARIO THREE: On both servers, leaning right
When I uploaded all but the HTML to domaintwo.com, I could no longer get it to work. In other words, the HTML on domainone.com is referencing an SWF file hosted on domaintwo.com, and that SWF file is trying to make a request to domaintwo.com. I left the same crossdomain.xml file from Scenario 2, just in case. My file/folder structure looked like this:

domainone.com/test.html
domaintwo.com/jsajax.swf
domaintwo.com/test.php
domaintwo.com/crossdomain.xml

This is the only case I could not get working, and this is the case I need to get working. The first two were really just test scenarios to see if the script was working at all. When I try to run my jsAjax function here, I wind up with an error that shows up twice in Firebug:

uncaught exception: Error calling method on NPObject! [plugin exception: Error in Actionscript. Use a try/catch block to find error.].
uncaught exception: Error calling method on NPObject! [plugin exception: Error in Actionscript. Use a try/catch block to find error.].

---

Help! How do I get it working in scenario 3?

Answer 1

I just figured it out! It did have to do with the Security.allowDomain commands in my Flash file. I was actually hosting the test.html on a subdomain of domainone.com, and that was throwing it off. It has to be an exact match, subdomain and all. It turns out I didn't need the Security.allowDomain command that referenced domaintwo.com, nor did I need the crossdomain.xml file to be present at all for Scenario 3!

Since in the "real" version of this script that I end up using, I won't necessarily know what domainone.com actually is, I changed the code on the top of the Flash file to this:

import ajax.AjaxRequest;
try {
 var domain1:String = LoaderInfo(this.root.loaderInfo).parameters["allow"];
 if ( domain1.length > 0 ) {
  Security.allowDomain(domain1);
 }
} catch (error:Error) { }
try {
 var domain2:String = LoaderInfo(this.root.loaderInfo).parameters["allowhttps"];
 if ( domain2.length > 0 ) {
  Security.allowInsecureDomain(domain2);
 }
} catch (error:Error) { }
...

Then, in the JavaScript I'm using to embed the SWF there in the first place, I basically grab the current domain of the page from document.location.toString(), check whether it's using http or https, and then pass the domain in as allow and/or allowhttps in the flashvars parameter. There might be a "better" way to do this that doesn't rely on setting the domain up explicitly in the Flash Vars (some kind of automatic detection from within Flash), but I'm not versed in ActionScript well enough to figure that out. And since this file is already doing a whole bunch of bidirectional communication between JavaScript and ActionScript, it's not that big of a deal. This solution is good enough for me.