tags:

views:

782

answers:

1
+2  Q: 

Flash security error - Twitter API

Hey folks,

I'm trying to hit the Twitter API in my Flash application. It works in the local Flash IDE, but doesn't work when I upload it to my server. I'm getting this error:

Error #2044: Unhandled securityError:. text=Error #2048: Security sandbox violation: http//alpha.{oursite}.com/flash/twitterticker.swf cannot load data from http//twitter.com/statuses/user_timeline/{ouraccount}.xml.

[ignore the lack of a ":" in the http:// in the error msg - I don't have enough of a reputation yet to post more than one hyperlink :-)]

When I look in Charles, it appears that the error is related to not finding an entry for my website in Twitter's crossdomain.xml file. As far as I know, this is not a requirement to use their API. Is there something I'm missing?

TIA!

Steve W

+1  A: 

Looking at the crossdomain file at http://twitter.com/crossdomain.xml you won't be able to directly call the twitter API from flash.

You are going to either need a serverside proxy, or use ExternalInterface bi-directional communication since javascript can bypass the sandbox using JSONP

The twitter API site has several links to ready written twitter implementations for Flash. Maybe you can use one of their serverside proxies.

Les  2009-11-06 19:32:27
Yeah, a few days ago Twitter removed the crossdomain allowances they had for a few years. Flash apps everywhere cried.
Typeoneerror  2009-11-06 22:43:40
So how does tweetdeck (the AIR twitter client) work? I think you have to use their api instead of accessing the feed directly. I'm not familiar with twitter api though.
Amarghosh  2009-11-07 07:07:26
A few days ago Twitter removed the crossdomain allowances? I guess that's why this was working for me a couple of weeks ago, then stopped. What a bummer! How can they revoke privileges in a way that breaks other people's apps?
Steve W  2009-11-11 20:33:30
quoting Alex Payne on the twitter development group:"Yes, we changed crossdomain.xml in response to a security threat last night. Unfortunately, do to an insecure interaction between Flash and browsers, allowing cross-domain requests from any domain opens us to assumed login attacks, which a Japanese security researcher had noted publicly in the last 48 hours"I guess they had to protect their users from some sort of XSS attack.. ?
Les  2009-11-11 21:25:16

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security