I made a swf that interacts with other site on the internet (which has a crossdomainfile for me).
in the main.mxml there is a definition of webservice (mx:WebService)(which is not in my domain). Therefore when loading the swf, there is a first call to crossdomainfile.xml.
I put this swf on my server so that my clients can get it.
When i connect to my server to download the swf, i expect to be asked if i want to allow the swf connect to foreign webservice domain. But i am not being asked.
Do i always need to define exception in Global Security Settings panel?
I don't want my client do define special things..
Is there a best practice for that? Why when i surfing the net other swf can do this?
I read about the FlashPlayerTrust, can i define there a website i trust my swf will connect to?
anyone knows?
You ask a bunch of questions, I'll try to explain the best I can.
The loading of the crossdomain.xml file will occur when you access the WebService located on
the remote domain; not when the swf containing the WebService call is loaded.
If a crossdomain.xml file is not there; the error is returned to the Flash Player. If you create a handler for that error, you can surpress that error from the user. IF no handler exists, I believe a run time error is displayed--but I haven't tested that.
If you want to be asked whether the swf can access the foreign domain or not; I'm pretty sure you'll have to write that code yourself.
I've never had to deal with Global Security Settings or FlashPlayerTrust in situations where I need to access a remote service.
the solution is to add headers permission to the crossdomainfile:
allow-http-request-headers-from
detailed info is in http://kb2.adobe.com/cps/403/kb403185.html
Related
I made a blog widget in flex. I need manipulate cookie in my widget which is added to my user's blog. But under some circumstance, some blog hosts forbid accessing to javascript, so i can not access cookie in flex by externalInterface. Does anyone know how to access cookie in this context? thanks.
You need to set allowScriptAccess to "*" in your embed code. Unfortunately, you cannot allow access on a per domain basis, so it's all or nothing. However, the owner of the blog might not want to grant this privilege, in which case you just cannot count on having access to Javascript from your swf.
PS: If you are allowed to serve a swf from the same domain with granted access to Javascript, you might be able to use it as proxy for sending the data retrieved with javascript to the swf served from the other domain. Not sure if this is the best idea, though.
My answer is, you can't access browser cookies from the Flash Player. The ExternalInterface usage is kind of a hack.
Based on the error, it sounds like your SWF is being served from a different domain than the web page that contains it. Is that true? If so, that is the cause of the error. Isn't that the same sort of approach that "Cross Site Scripting" exploits use?
You can allow JavaScript to access it's HTML wrapper from a different domain by specifying the allowScriptAccess to always in the SWF embed code. More info in the Adobe docs.
You can try adding a crossdomain.xml file to the main site, although I did not think that would have an effect because I'm pretty sure that ExternalInterface usage is not a crossdomain.xml checking case.
I'm curious as to where the cookie is coming from. If your Flex application is creating the cookie via a SharedObject then you don't need javascript to access it. If the cookie is coming from another application/source then to my knowledge, the only real way to access it is via the javascript externalinterface method.
The issue we're running across is that we use a screen scraper to generate non copy-and-pasteable images of web pages for users who don't have access to raw data to hamper copy-and-paste activity. We have a class that's set up to instantiate a web browser object in memory, and then it accesses the page and we render it to a bitmap that we save as a jpeg.
While we can access the page okay from the server manually, when the class attempts to access it we get an error that says we can't use allowDefinition='MachineToApplication' beyond application level. We don't have any virtual directories, we don't have multiple web.configs, and the lack of reproducibility except through this one process is intensely frustrating. Any ideas what else we can do?
What you need to do is change the "allowDefinition" setting in your applicationHost.config file. That setting determines the level where it can be set, the options are as follows:
[MachineOnly|MachineToApplication|AppHostOnly|Everywhere]
If you open it up to everywhere you should be good to go. If you need to do this via command line on server 2008 you should be able to do it with the appcmd utility.
I want to go live with my site.
...but I need help with a security violation I am incurring.
I've seen various threads on this forum regarding a crossdomain.xml file to include and link to, but I don't get it... no matter what I try I still end up with the same result. You'll note below that it is not recommended to use crossdomain hacks.
FWIW, this only happens when I export a release build... I can load the php data w/out an issue in my debug/developing phase locally in Flex.
What gives? When I make a PHP based request for data I always get this error popping up:
Error #2044: Unhandled securityError:.
text=Error #2048: Security sandbox
violation:
http://alubow.com/jml_testing/viewable/alubow_project.swf
cannot load data from
http://www.alubow.com/jml_testing/foldergrab.php?ipath=assets/bitmap/portrait_thumbs/&tpath=assets/bitmap/portrait_imgs/.
at utils.php::DirectoryReader() at
alubow_project/newScroller() at
alubow_project/mainClickOut()
Is there code I need to add to get this to work? Do I need to configure the server I am using?
I will need to go live with this site soon and these errors I am getting both locally and serverside (via a browser) are unacceptable.
COULD THIS BE A PROBLEM WITH THE FLASH PLAYER I HAVE INSTALLED?
I have the debugger version of flash player 10.
jml
The problem is with the www prefix. I guess you are trying to load a page with out the www subdomain and the URL you are looking for does have that prefix.
Now, what you need to do is one of the following:
change the request url
add both www.yourdomain.com And yourdomain.com to the crossdomain.xml
call the url dymanicaly. this is the best solution but needs some more work. you can get it done using ExternalInterface and connection to JS here. OR you can use the BrowserManager.
Enjoy!
It may be because your app is requesting from www.alubow.com when hosted from alubow.com, which triggers a request for http://www.alubow.com/crossdomain.xml, which doesn't exist. You could refer to your app as www.alubow.com/jml_testing/viewable/alubow_project.swf and avoid the error.
Alternately, you could add a crossdomain.xml file to www.alubow.com.
I know this is weird but for local files loaded through the flash player you probably just need to hit this page. Look near the top right for something that looks like an example image. It's actually a Flex application. Click successive tabs until you read the Global Security Settings panel (currently 3rd from the left, with an image of a globe and padlock). Select the "Edit locations" menu, and choose "Add location". You can then add your swf or your folder of swf's into the whitelist and they'll be able to access outside resources magically.
I'm creating an ASP.NET web application to schedule tasks on our server from a remote location using a .NET Wrapper for Scheduled Tasks. However, I'm stuck.
The user needs to be able to browse the file system on the server to retrieve a "file to run" for the new task that the user's creating in this application. I need to get the filepath/filename and pass it into the .NET wrapper.
I've tried using HTMLInputFile, but I haven't found a way to make that work for me.
Any help is appreciated.
Thanks
Update:
For this project, we've decided to simply list the executables in a dropdown box that would be available to users since they don't really need total access to the file system, just for security's sake.
HTMLInputFile is used to browse the client's file system and upload a file to the server. It isn't used to browse the server's file system.
You will need something quite different. You will need some server side code to display the server side folder structure to the user via the browser.
There is an example of a basic implementation of this here.
Update:
With that sample, the path that you replace "yourfolderHere" with needs to be a virtual path, rather than an absolute path. So for example "C:\Inetpub\wwwroot\uploads" won't work, but "uploads" will work.
I hope it goes without saying that there are serious security issues to think about when implementing something like this.
The HTMLInputFile will only work on the client-side machine.
You need to write a filesystem browser in ASPX/HTML that browses on the server-side.
Shouldn't be that hard to do.
You can't use the <input type="file" tag
This brings up a client-side dialog that browses the client machine.
As far as I am aware you need to create your own 'browser'.
eg You could use the My.Computer.Filesystem classes to retrieve a list of files in a folder and show those on the webpage. The user then selects the relevant file and posts a response back to the server.
You can use System.IO.Directory to get directories and files. These can be displayed in a number of ways. A simple browser / file selection should be possible in less than 50 lines of code.
Also be aware that you may need to grant extra permissions to the user that your web app runs as so the file system is accessible.
There are also various security implications around this, so don't grant access to everything unless you really need this.
This would be a question for anyone who has code in the App_Code folder and uses a hardware load balancer. Its true the hardware load balancer could be set to sticky sessions to solve the issue, but in a perfect world, I would like the feature turned off.
When a file in the App_Code folder, and the site is not pre-compiled iis will generate random file names for these files.
server1 "/ajax/SomeControl, App_Code.tjazq3hb.ashx"
server2 "/ajax/SomeControl, App_Code.wzp3akyu.ashx"
So when a user posts the page and gets transfered to the other server nothing works.
Does anyone have a solution for this? I could change to a pre-compiled web-site, but we would lose the ability for our QA department to just promote the changed files.
Do you have the <machinekey> node on both servers set to the same value?
You can override the machine.config file in web.config to set this. This needs to match otherwise you can get strange situations like this.
Does your load balancer supports sticky sessions? With this on, the balancer will route the same IP to the same server over and over within a certain time window. This way, all requests (AJAX or otherwise) from one client would always hit the same server in the cluster/farm.
Ok, first things first... the MachineKey thing is true. That should absolutely be set to the same on all of the load balanced machines. I don't remember everything it affects, but do it anyway.
Second, go ahead and precompile the site. You can actually still push out new versions, whenever there is a .cs file for a page that page gets recompiled. What gets tricky is the app_code files which get compiled into a single dll. However, if a change is made in there, you can upload the new dll and again everything should be fine.
To make things even easier, enable the "Used fixed naming and single page assemblies" option. This will ensure things have the same name on each compilation, so you just test and then replace the changed .dll files.
All of that said, you shouldn't be having an issue as is. The request goes to IIS, which just serves up the page and compiles as needed. If the code behind is different on each machine it really shouldn't matter, the code is the same and that machine will reference it's own code. The actual request/postback doesn't know or care about any of that. Everything I said above should help simplify things, but it should be working anyway... so it's probably a machinekey issue.
You could move whatever is in your app_code to an external class library if your QA dept can promote that entire library. I think you are stuck with sticky sessions if you can't find a convenient or tolerable way to switch to a pre-compiled site.
If it's a hardware load balancer, you shouldn't have an issue, because all that is known there is the request URL, in which the server would compile the requested page and serve it.
the only issue i can think of that you might have is with session and view state.
Its true the hardware load balancer could be set to sticky sessions to solve the issue, but in a perfect world, I would like the feature turned off.
It appears that the is only for ViewState encryption. It doesn't affect the file names for auto compiled assemblies.
I think asp.net model has quite a bit dependency for encryption and machine specific storage, so I am not sure if it works to avoid sticky IP for session.
I don't know about ASP.NET AJAX (I use MonoRail NJS approach instead), but session state could be an issue for you.
You have to make sure session states are serializable, and don't use InMemory session. You probably need to run ASP.NET Session State Server to make sure the whole frontend farm are using the same session storage. In such case session has to be perfectly serializable (thats why no object in session is preferred, you have to always use ID, and I bet MS stick on this limitation when they do AJAX library development)