tags:

views:

1010

answers:

2
+1  Q: 

Amazon S3 secure access from flash

I am trying to access files in Amazon S3 bucket with SSL with ActionScript3.

When I use this format...

https://s3.amazonaws.com/bucket.name/filename

I get security sandbox error. "Error #2048: Security sandbox violation: "

When I switch to this format...

https://bucket.name.s3.amazonaws.com/filename

It works like a charm (until I try it on a browser other than Firefox). It generates a certificate error (host name mismatch) for the other browsers. Once I add exceptions it works fine. But that's not practical.

Third option which would be the ideal version...

https://www.myowndomain.com/filename

... generates the same security violation for all browsers. Needless to say, the domain is mapped to the bucket.

The bucket has its own crossdomain.xml.

The files are custom binary files. 

<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
<site-control permitted-cross-domain-policies="all"/>
</cross-domain-policy>

I went thru the security white paper and new rules for Flash Player 10. No luck so far.

Any ideas?

Ok it gets more interesting, and I suspect this is causing the problem. While sanitizing the name of my bucket, I oversimplified. My bucket name has a dot in it and appearently it is not a good thing.

http://faindu.wordpress.com/2008/12/18/amazon-s3-flash-crossdomainxml-ie7-certifacte-error/

So I would appreciate it, if there is an alternative to that.

+1  A: 

This is due to browser restrictions. Also, if you trying to access S3 from AS3 then you'll probably fine the AS3 API quite useful though this too runs into browser restrictions:

This is an AS3 library for accessing Amazon's S3 service. It only works in Apollo because of restrictions in the browser player.

aleemb  2009-05-28 18:24:05
+1  A: 

During your troubleshooting, did you enable the Flash Player's policy file logging feature? You can get more specific information behind the sandbox violation error. Read the following to learn how to set up policy file logging: Policy file changes in Flash Player 9 and Flash Player 10

Personally, I suspect you should be able to get your third option to work, at least, since you'd be able to host a crossdomain.xml at the root location of https://www.myowndomain.com/crossdomain.xml -- but let's see what you have in your crossdomain.xml. I suggest you post a copy here, sanitized if necessary. And, tell us, what kind of files are you trying to load in the player?

Chris W. Rea  2009-05-28 22:18:40
The files are custom binary files. I added the crossdomain file to the question.
peacewise  2009-06-03 21:41:22
What about the policy log -- did it provide any additional information?
Chris W. Rea  2009-06-04 12:59:08
Also, when you try and load https://www.myowndomain.com/filename in your browser, outside of Flash ... do you get a certificate error or is the certificate valid and the request succeeds?
Chris W. Rea  2009-06-04 13:01:11
Your crossdomain.xml looks OK on the surface. Have you witnessed your browser make a successful request for your crossdomain.xml? Alternatively, are you explicitly loading the policy file in advance, from its https location? A tool like ieHttpHeaders (for IE) or HttpFox (for Firefox) to inspect is often helpful.
Chris W. Rea  2009-06-04 13:05:37
And don't forget to look at the policy log!
Chris W. Rea  2009-06-04 13:05:49
> Also, when you try and load myowndomain.com/filename in your> browser, outside of Flash ... do you get a certificate error?In this case, I do get a certificate error. The certificate is only valid for s3.amazonaws.com(Error code: ssl_error_bad_cert_domain)That drove me to try different path versions. I have been looking into the policy log, but I haven't been able to get anything more detailed from the policy log yet.
peacewise  2009-06-05 03:24:52
... and yes, I am explicitly loading the policy file in advance from its https location. For https://s3.amazonaws.com/bucketname/crossdomain.xml, I am seeing "Error: Ignoring policy file at https://s3.amazonaws.com/bucketname/crossdomain.xml due to meta-policy 'master-only'." That should not be true, right? For https://bucketname.s3.amazonaws.com/crossdomain.xml, I am seeing "Error: Failed to load policy file from..." even though I can see the file using a browser.
peacewise  2009-06-05 03:31:41
Aha. The certificate issue means you won't be able to use the second or third methods proposed ... and the third method of using your own custom domain name is the one with promise, since it allows you to host your crossdomain.xml at the root of the site. Is there any way to install on the site your own SSL certificate for myowndomain.com? Or are you stuck with the Amazon certificate?
Chris W. Rea  2009-06-05 13:05:14
By the way, interesting error in the policy log, re: ignoring due the meta-policy 'master-only'. That made me look for a crossdomain.xml at the root of s3 at https://s3.amazonaws.com/crossdomain.xml ... and it returned an XML error about no such bucket. Perhaps Flash is interpreting the lack of a valid crossdomain.xml to default to a meta-policy of 'master-only', which means any policy files NOT at the root will be ignored.
Chris W. Rea  2009-06-05 13:20:45
So... perhaps ask Amazon to install a permissive cross-domain at the root of their S3 site. ? Or get the certificate issue resolved and just host it at the root of your custom domain. I think those are your options.
Chris W. Rea  2009-06-05 13:21:22
Finally... see this thread http://developer.amazonwebservices.com/connect/thread.jspa?messageID=35302 ... doesn't solve your problem but it does show others are discussing the issue.
Chris W. Rea  2009-06-05 13:23:43
Thanks for all the suggestions. I edited the question to reflect a certain discovery I made. My bucket name has dots in it. :( Meanwhile I am looking into installing an SSL certificate for my domain as you suggested.
peacewise  2009-06-06 00:28:07
dots in bucketname is pretty much ok. While loading crossdomain policy, if flash is redirected to some other page then it does not work (I'm guessing, you're using simple redirect to s3 bucket URL instead of some kind of CDN). Have you cross checked the base URL for crossdomain file and content file? they must be identical i.e. character by character(in second case). And try not using https, flash has issues with protocols other than http.
bhups  2009-11-01 06:05:12

related questions

Are there any good programs for actionscript/flex that'll count lines of code, number of functions, files, packages,etc...
Drawing a custom label on a pie chart in Yahoo's Flash Library ASTRA
Is there a way to render svg data in a swf at runtime?
How can I resize a swf during runtime to have the browser create html scrollbars?
FLVPlayback component memory issues
Create an EXE from a SWF using Flex 3 without requiring AIR?
What are the naming conventions of an AS3 class?
How To Get Label Of Combobox to Fade In Flex
Best Practices for AS3 XML Parsing
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Flex: does painless programmatic data binding exist?
How do I restyle an Adobe Flex Accordion to include a button in each canvas header?
Deleting / Replacing A Node in E4X (AS3 - Flex)
Printing Flex components in FireFox 3
ActionScript 3.0 sockets can't reconnect
Is it possible to add behavior to a non-dynamic ActionScript 3 class without inheriting the class?
How do I get rid of the "multiple describeType entries" warning?
Open local file with AIR / Flex
Flex / Air obfuscation
Adobe Flex component events
Can you access the windows registry from Adobe Air?
Actionscript 3 - Fastest way to parse yyyy-mm-dd hh:mm:ss to a Date object?
Adobe Air - Using multiple SQLite databases at once
Adobe air - SQLStatement.execute() - Multiple queries in one statement
Unloading a ByteArray in Actionscript 3.