tags:

views:

1114

answers:

2
Q: 

Flash Security Error Accessing URL with crossdomain.xml

Hello,

I recently deployed a Flash application to a server, and am now experiencing errors when making HTTPService requests. I have put what I believe to be the most permissive crossdomain.xml possible in the wwwroot folder, and still get the errors.

Interestingly enough, the error only seems to occur when the request is made from a direct user interaction (i.e. button click). The application makes other requests that are initiated by other means(i.e creationComplete) , and they seem to work as expected.

Anyone see anything wrong with the crossdomain.xml, or have any other suggestions?

ERROR MESSAGE

[RPC Fault faultString="Security error accessing url" faultCode="Channel.Security.Error" faultDetail="Destination: DefaultHTTP"] at mx.rpc::AbstractInvoker/http://www.adobe.com/2006/flex/mx/internal%3A%3AfaultHandler() at mx.rpc::Responder/fault() at mx.rpc::AsyncRequest/fault() at DirectHTTPMessageResponder/securityErrorHandler() at flash.events::EventDispatcher/dispatchEventFunction() at flash.events::EventDispatcher/dispatchEvent() at flash.net::URLLoader/redirectEvent()

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"&gt;
<cross-domain-policy>
 <site-control permitted-cross-domain-policies="all" />
 <allow-access-from domain="*" secure="false" />
 <allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>
+1  A: 

You need to be careful with those crossdomain policy files because they can open up some serious security holes. You should never use a * policy on a site that uses cookie or basic auth and you should never put a * policy on an intranet server.

The easiest way to avoid those security problems and make things work is to make sure that the URL the SWF is loaded from and the URL the requests are being made to is the same protocol, hostname, and port (if specified). If they are different then you should look into using a proxy so that they are the same. BlazeDS or Apache ban easily be setup as a proxy.

James Ward  2009-11-02 15:22:02
Can you elaborate why tightening down the crossdomain.xml is so important? Seems like there are a lot easier ways to try to attack someone's server besides using flash to do it...
Osman  2009-11-04 22:36:47
This is why it's important:http://tech.slashdot.org/story/09/11/05/1552204/Facebook-and-MySpace-Backdoors-Found-Fixed
James Ward  2009-11-05 16:41:04
Ahh ok because AJAX does not allow cross domain scripting
Osman  2009-11-05 17:11:04
A: 

I am having same problem. i have cross domain at the server but my problem is exactaly the same as the starting question. can you please update, that you got the answer or not. I am using FLEX 4

Zahid  2010-06-10 01:55:55

related questions

Silverlight vs Flex
Executing JavaScript from Flex: Is this javascript function dangerous?
How To Get Label Of Combobox to Fade In Flex
How do I change the title bar icon in Adobe AIR?
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Flex: does painless programmatic data binding exist?
SoapException: Root element is missing occurs when .NET web service called from Flex
Any recommendations for in-depth Flex training?
How do I restyle an Adobe Flex Accordion to include a button in each canvas header?
Deleting / Replacing A Node in E4X (AS3 - Flex)
How can I "unaccept" a drag in Flex?
Printing Flex components in FireFox 3
Is it possible to add behavior to a non-dynamic ActionScript 3 class without inheriting the class?
How do I get rid of the "multiple describeType entries" warning?
Open local file with AIR / Flex
Flex / Air obfuscation
Adobe Flex component events
Can you access the windows registry from Adobe Air?
Actionscript 3 - Fastest way to parse yyyy-mm-dd hh:mm:ss to a Date object?
Adobe Air - Using multiple SQLite databases at once
How can I unit test Flex applications from within the IDE or a build script?
Best way to learn Flash?
Get the current logged in OS user in Adobe Air
Adobe air - SQLStatement.execute() - Multiple queries in one statement
Unloading a ByteArray in Actionscript 3.