Flash Player 10.1 causing sandbox violation no previous version caused

Question

This is a WTF moment for me. Working with a SWf where it's worked all along, loading data from http://akmi.kaltura.com. But, now, if you switch from Flash Player 10 to Flash Player 10.1, I get the standard security sandbox violation:

* Security Sandbox Violation * Connection to http://akmi.kaltura.com//index.php/partnerservices2//executeplaylist?partner_id=36022&playlist_id=0_buugxoml&subp_id=3602200&format=8&ks=NDE4MzIyOTA4OTlhNGM0OTAyMjliMGU3Y2M1ODY5MzJjNmE5NjBmNHwzNjAyMjszNjAyMjsxMjc3MDczMjcyOzA7MTI3Njk4Njg3Mi4wMjk3OzA7dmlldzoq halted - not permitted from http://localhost/kdp.swf Error #2044: Unhandled securityError:. text=Error #2048: Security sandbox violation: http://localhost/kdp.swf cannot load data from http://akmi.kaltura.com//index.php/partnerservices2//executeplaylist?partner_id=36022&playlist_id=0_buugxoml&subp_id=3602200&format=8&ks=NDE4MzIyOTA4OTlhNGM0OTAyMjliMGU3Y2M1ODY5MzJjNmE5NjBmNHwzNjAyMjszNjAyMjsxMjc3MDczMjcyOzA7MTI3Njk4Njg3Mi4wMjk3OzA7dmlldzoq.

What changed?? The crossdomain.xml is still in place and if I downgrade to FP 10 (or earlier), it works as expected. Any ideas?

Answer 1

I'm shooting in the dark a bit, but...

First off, in the URL you specify there are two '//' before the index.php . Is that causing an issue w/ Flash Player 10.1 finding the cross domain file? Or did the error mangle the URL somehow?

If memory serves me, Flash Player is really particular about the crossdomain.xml is really particular. I notice that your XML tags are in a different order than the ones I use on The Flex Show and I did not specify a namespace. So you might try changing those:

<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*"/>
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

I'm kind of guessing, though, it's not an issue I've run into yet.

Answer 2

Well, in general it's not necessarily strange for new security errors to occur with a player update. The Flash player usually tries to guarantee backwards compatibility with old content, but security changes are considered an exception, so whenever Adobe makes something about the security model more strict than it was previously, it's assumed that developers have to update their content.

With that said though, here are the security changes from FP10 to FP10.1, and none of them sounds like anything that would affect you here. So my best guess is that something very subtle changed between 10 and 10.1, which for whatever reason wasn't in Adobe's writeup, that you need to work around - unless anything in the page I linked rings a bell with you?

Answer 3

I had a similar problem and was able to fix it by removing the extra slash in the url. The problem occurs only in 10.1 clients when the extra slash appears at the root of the domain.

example.com//myurl
causes problems,

example.com/mysite//myurl doesn't cause problems.

Had to remove the http prefix to get this to pass the sites filters.

This is probably related to changes in security handling. Posting to save others frustration.

Answer 4

Man try to load your cross domain with actionscript making a connection with a xmlsocket:// instead of ht tp://