In my Flex 4 app, I access an RSS feed (I'm using http://news.ycombinator.com/rss as a dummy). It works okay when I run it from Flash Builder 4, but if I export the project and upload it, I get the following error when it tries to load the RSS feed:
Error #2044: Unhandled securityError:. text=Error #2048: Security sandbox violation: my_website_url cannot load data from http://news.ycombinator.com/rss.
What could be causing this error? Shouldn't RSS be able to be accessed from anywhere? Thanks for reading.
Afaik flash looks for a crossdomain.xml (http://news.ycombinator.com/crossdomain.xml) file to detect if it's allowed to download this content. You find a possible solution here.
The Flash Player is in it's own security sandbox inside the browser. It cannot access URLs outside the domain from which it was served unless it is given permission.
That permission is given through the use of a crossdomain.xml file. There is no cross domain file on the ycombinator site, as you can see here: http://news.ycombinator.com/crossdomain.xml . As such flash will not be able to access that URL unless the swf file is also served off ycombinator.
I'm unclear why this works when you test it locally; you should be having the same issue.
If that is your site, you can create a cross domain file and add it to the root directory and your problems should go away. More info here:
http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html
If you need an alternate feed to test with, you can use The Flex Show's RSS:
http://www.theflexshow.com/blog/rss.cfm?mode=full
(our Cross Domain for your reference)
http://www.theflexshow.com/crossdomain.xml
I'm unclear why this works when you test it locally; you should be having the same issue.
This is because when you are running from Flash Builder, the output file is a local file and hence the security domain is different as opposed to a SWF hosted in a web server.
Related
I'm trying to perform a file upload using a FileReference from a Flex app running in Firefox 4. However when I attempt to call the upload() method, the Filereference throws an IOError with the following
Error #2038: File I/O Error. URL: http://localhost:8080/admin/upload
If I don't explicitly add a listener for the IOErrorEvent, then I get a Flash player popup stating
SecurityError: Error #2000: No active security context.
The request doens't even hit my server (I can verify by placing breakpoints in the Java code and watching the HTTP Requests that go out using HTTPFox), so it seems to me that this is a client side issue (right?). I've done some searching for the problem on google and the suggestions included wrapping the upload() call in a timeout/callLater, and attempting to attach the sessionId to the request (since Firefox creates a new thread for the upload and doesn't attach the proper cookies). Neither of these approaches has worked for me.
I don't experience this problem with Internet Explorer, only Firefox.
Has anyone encountered this before? Any suggestions? Thanks for any help.
EDIT: Should mention that the SWF and the URL being requested are on the same server (localhost:8080).
From the docs for FileReference:
For content running in Flash Player or for content running in Adobe AIR outside of the application security sandbox, uploading and downloading operations can access files only within its own domain and within any domains that a URL policy file specifies. Put a policy file on the file server if the content initiating the upload or download doesn't come from the same domain as the file server.
Also - is this running as release or in the debugger? Sometimes the behavior for server access is quite different.
Fairly normal security sandbox issue (not prevalent to Firefox, but to Flash Player).
You just need a crossdomain file on the root of your webserver.
Hi I'm trying a simple tutorial of retrieving RSS feeds from yahoo and keep getting this error:
RPC Fault faultString="Security error accessing url" faultCode="Channel.Security.Error" faultDetail="Destination: DefaultHTTP"
I've seen some articles that say I need a crossdomain.xml file, but I don't really know how to set this file up and how to use it from the Flex SDK compiler (mxmlc).
Thanks
The crossdomain.xml file needs to live at the root of the server that you are accessing. If they have not put that there, then you are out of luck when running in the browser. It is part of an important security aspect of running in a browser sandbox (Silverlight has the same restriction). It is waived if you are running in Air (or pretty much anything out of the browser).
Lets say that you are trying to receive data from http://foo.com/rest/rss/all (or something like that). You can chec quickly to see if they allow cross-site scripting (XSC) by browsing to http://foo.com/crossdomain.xml. If it is not there, then you can't do it.
Still, the comments you got about more information would help us give you a better answer.
I made a swf that interacts with other site on the internet (which has a crossdomainfile for me).
in the main.mxml there is a definition of webservice (mx:WebService)(which is not in my domain). Therefore when loading the swf, there is a first call to crossdomainfile.xml.
I put this swf on my server so that my clients can get it.
When i connect to my server to download the swf, i expect to be asked if i want to allow the swf connect to foreign webservice domain. But i am not being asked.
Do i always need to define exception in Global Security Settings panel?
I don't want my client do define special things..
Is there a best practice for that? Why when i surfing the net other swf can do this?
I read about the FlashPlayerTrust, can i define there a website i trust my swf will connect to?
anyone knows?
You ask a bunch of questions, I'll try to explain the best I can.
The loading of the crossdomain.xml file will occur when you access the WebService located on
the remote domain; not when the swf containing the WebService call is loaded.
If a crossdomain.xml file is not there; the error is returned to the Flash Player. If you create a handler for that error, you can surpress that error from the user. IF no handler exists, I believe a run time error is displayed--but I haven't tested that.
If you want to be asked whether the swf can access the foreign domain or not; I'm pretty sure you'll have to write that code yourself.
I've never had to deal with Global Security Settings or FlashPlayerTrust in situations where I need to access a remote service.
the solution is to add headers permission to the crossdomainfile:
allow-http-request-headers-from
detailed info is in http://kb2.adobe.com/cps/403/kb403185.html
I want to go live with my site.
...but I need help with a security violation I am incurring.
I've seen various threads on this forum regarding a crossdomain.xml file to include and link to, but I don't get it... no matter what I try I still end up with the same result. You'll note below that it is not recommended to use crossdomain hacks.
FWIW, this only happens when I export a release build... I can load the php data w/out an issue in my debug/developing phase locally in Flex.
What gives? When I make a PHP based request for data I always get this error popping up:
Error #2044: Unhandled securityError:.
text=Error #2048: Security sandbox
violation:
http://alubow.com/jml_testing/viewable/alubow_project.swf
cannot load data from
http://www.alubow.com/jml_testing/foldergrab.php?ipath=assets/bitmap/portrait_thumbs/&tpath=assets/bitmap/portrait_imgs/.
at utils.php::DirectoryReader() at
alubow_project/newScroller() at
alubow_project/mainClickOut()
Is there code I need to add to get this to work? Do I need to configure the server I am using?
I will need to go live with this site soon and these errors I am getting both locally and serverside (via a browser) are unacceptable.
COULD THIS BE A PROBLEM WITH THE FLASH PLAYER I HAVE INSTALLED?
I have the debugger version of flash player 10.
jml
The problem is with the www prefix. I guess you are trying to load a page with out the www subdomain and the URL you are looking for does have that prefix.
Now, what you need to do is one of the following:
change the request url
add both www.yourdomain.com And yourdomain.com to the crossdomain.xml
call the url dymanicaly. this is the best solution but needs some more work. you can get it done using ExternalInterface and connection to JS here. OR you can use the BrowserManager.
Enjoy!
It may be because your app is requesting from www.alubow.com when hosted from alubow.com, which triggers a request for http://www.alubow.com/crossdomain.xml, which doesn't exist. You could refer to your app as www.alubow.com/jml_testing/viewable/alubow_project.swf and avoid the error.
Alternately, you could add a crossdomain.xml file to www.alubow.com.
I know this is weird but for local files loaded through the flash player you probably just need to hit this page. Look near the top right for something that looks like an example image. It's actually a Flex application. Click successive tabs until you read the Global Security Settings panel (currently 3rd from the left, with an image of a globe and padlock). Select the "Edit locations" menu, and choose "Add location". You can then add your swf or your folder of swf's into the whitelist and they'll be able to access outside resources magically.
I'm embedding the Google Maps Flash API in Flex and it runs fine locally with the watermark on it, etc. When I upload it to the server (flex.mydomain.com) I get a sandbox security error listed below:
SecurityError: Error #2121: Security sandbox violation: Loader.content: http://mydomain.com/main.swf?Fri, 12 Sep 2008 21:46:03 UTC cannot access http://maps.googleapis.com/maps/lib/map_1_6.swf. This may be worked around by calling Security.allowDomain.
at flash.display::Loader/get content()
at com.google.maps::ClientBootstrap/createFactory()
at com.google.maps::ClientBootstrap/executeNextFrameCalls()
Does anyone have any experience with embedding the Google Maps Flash API into Flex components and specifically settings security settings to make this work? I did get a new API key that is registered to my domain and am using that when it's published.
I've tried doing the following in the main application as well as the component:
Security.allowDomain('*')
Security.allowDomain('maps.googleapis.com')
Security.allowDomain('mydomain.com')
This sounds like a crossdomain.xml related problem. I did a quick search and there seems to be many people with the same issue. Some proxy requests through XMLHttpRequest etc..
Issue 406: Add crossdomain.xml for Google Accounts
Thanks for the help. Apparently this has something to do with including the Flex app on an ASP.NET page. When I moved it over to a flat HTML file, it worked fine. I don't have time to fully investigate right now, but that seems to have fixed it.