Security Error when trying to communicate with Twitter from Flex

Question

When I try to request a token from Twitter:

                _consumer = new OAuthConsumer( _consumerKey, _consumerSecret );
                var oauthRequest:OAuthRequest = new OAuthRequest( "GET", AppConstants.TWITTER_REQUEST_TOKEN_URL, null, _consumer, null );
                var request:URLRequest = new URLRequest( oauthRequest.buildRequest( _signature ) );
                var loader:URLLoader = new URLLoader(   );
                loader.dataFormat = URLLoaderDataFormat.TEXT;  
                loader.addEventListener( Event.COMPLETE, requestTokenHandler );
                loader.load(request);

I get the following Security Error:

Security ERROR: [SecurityErrorEvent type="securityError" bubbles=false cancelable=false eventPhase=2 text="Error #2048: Security sandbox violation: http://localhost:3000/bin/testsite.swf cannot load data from http://twitter.com/oauth/request_token?oauth_consumer_key=....."]

Althought I have added the following:

            Security.allowDomain("*");
            Security.loadPolicyFile("http://twitter.com/crossdomain.xml");

The weird thing is that it doesn't happen when I run my App in Debug mode (from Flash Builder) it just happens when I call my application from localhot:3000 (as I'm using Rails)!

Any ideas?

Answer 1

I don't believe that Twitter's crossdomain policy allows any domain to make requests to it. In which case you will need to use a server proxy like mod_proxy or BlazeDS.

Answer 2

You're on the right track. The problem here, like with many other web services, is that the crossdomain.xml is not permissive enough. This is true with Twitter's crossdomain.xml and of any domain that doesn't have a crossdomain.xml file.

Here's Twitter's crossdomain.xml.

<cross-domain-policy xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd"&gt;

<allow-access-from domain="twitter.com"/>
<allow-access-from domain="api.twitter.com"/>
<allow-access-from domain="search.twitter.com"/>
<allow-access-from domain="static.twitter.com"/>

<site-control permitted-cross-domain-policies="master-only"/>

<allow-http-request-headers-from domain=".twitter.com" headers="" secure="true"/>

</cross-domain-policy>

For you to have access to ANYTHING at twitter.com you would have to load your swf from one of the domains listed in allow-access-from. Since you probably aren't loading your swf from api.twitter.com you need to proxy your calls to Twitter's API from a server behind a domain you control. Essentially, you will write most of your code in a server-side language like PHP and make calls to that from your swf.

The reason everything works when debugging is because there's no sandbox security when loading a swf directly from your local filesystem (not from a local or remote server).

Check out the whitepaper on Flash security and crossdomain spec for more detail.