I want to go live with my site.
...but I need help with a security violation I am incurring.
I've seen various threads on this forum regarding a crossdomain.xml file to include and link to, but I don't get it... no matter what I try I still end up with the same result. You'll note below that it is not recommended to use crossdomain hacks.
FWIW, this only happens when I export a release build... I can load the php data w/out an issue in my debug/developing phase locally in Flex.
What gives? When I make a PHP based request for data I always get this error popping up:
Error #2044: Unhandled securityError:.
text=Error #2048: Security sandbox
violation:
http://alubow.com/jml_testing/viewable/alubow_project.swf
cannot load data from
http://www.alubow.com/jml_testing/foldergrab.php?ipath=assets/bitmap/portrait_thumbs/&tpath=assets/bitmap/portrait_imgs/.
at utils.php::DirectoryReader() at
alubow_project/newScroller() at
alubow_project/mainClickOut()
Is there code I need to add to get this to work? Do I need to configure the server I am using?
I will need to go live with this site soon and these errors I am getting both locally and serverside (via a browser) are unacceptable.
COULD THIS BE A PROBLEM WITH THE FLASH PLAYER I HAVE INSTALLED?
I have the debugger version of flash player 10.
jml
The problem is with the www prefix. I guess you are trying to load a page with out the www subdomain and the URL you are looking for does have that prefix.
Now, what you need to do is one of the following:
change the request url
add both www.yourdomain.com And yourdomain.com to the crossdomain.xml
call the url dymanicaly. this is the best solution but needs some more work. you can get it done using ExternalInterface and connection to JS here. OR you can use the BrowserManager.
Enjoy!
It may be because your app is requesting from www.alubow.com when hosted from alubow.com, which triggers a request for http://www.alubow.com/crossdomain.xml, which doesn't exist. You could refer to your app as www.alubow.com/jml_testing/viewable/alubow_project.swf and avoid the error.
Alternately, you could add a crossdomain.xml file to www.alubow.com.
I know this is weird but for local files loaded through the flash player you probably just need to hit this page. Look near the top right for something that looks like an example image. It's actually a Flex application. Click successive tabs until you read the Global Security Settings panel (currently 3rd from the left, with an image of a globe and padlock). Select the "Edit locations" menu, and choose "Add location". You can then add your swf or your folder of swf's into the whitelist and they'll be able to access outside resources magically.
Related
So I added a manifest.json to the application. I am using it to define various icon settings and mobile settings. I gave it a start url of "/", and I've tested it with a start url of "~", "." and simply leaving the property undefined.
The manifest works locally, but when I build it to a QA server I get error 500s on a bunch of javascript files in the bundle, including the VMs that generate the navigation for the app. I've added the JSON mimeMap to the web.config and have done a fair amount of research but I'm coming up blank. Help!
The ~ works with the ASP.NET rendering engine to render relative URLs. This is really limited to the server. Remember the PWA code is decoupled from your server-side code/server. The browser is only looking at the server via HTTP and is unaware of any server-side logic you may have. It only cares about what is sent to it across the wire.
Analyze your network waterfall and see what URLs are being requested. If the URLs being requested have the ~ in them, you need to change your manifest file, well you should remove that anyway IMO.
Do you know the details of the server side error(s)? Or are you masking that behind the default 5xx message in ASP.NET? It would be helpful to know what the exact error being thrown on the server is to help debug the issue.
Hi I'm trying a simple tutorial of retrieving RSS feeds from yahoo and keep getting this error:
RPC Fault faultString="Security error accessing url" faultCode="Channel.Security.Error" faultDetail="Destination: DefaultHTTP"
I've seen some articles that say I need a crossdomain.xml file, but I don't really know how to set this file up and how to use it from the Flex SDK compiler (mxmlc).
Thanks
The crossdomain.xml file needs to live at the root of the server that you are accessing. If they have not put that there, then you are out of luck when running in the browser. It is part of an important security aspect of running in a browser sandbox (Silverlight has the same restriction). It is waived if you are running in Air (or pretty much anything out of the browser).
Lets say that you are trying to receive data from http://foo.com/rest/rss/all (or something like that). You can chec quickly to see if they allow cross-site scripting (XSC) by browsing to http://foo.com/crossdomain.xml. If it is not there, then you can't do it.
Still, the comments you got about more information would help us give you a better answer.
In my Flex 4 app, I access an RSS feed (I'm using http://news.ycombinator.com/rss as a dummy). It works okay when I run it from Flash Builder 4, but if I export the project and upload it, I get the following error when it tries to load the RSS feed:
Error #2044: Unhandled securityError:. text=Error #2048: Security sandbox violation: my_website_url cannot load data from http://news.ycombinator.com/rss.
What could be causing this error? Shouldn't RSS be able to be accessed from anywhere? Thanks for reading.
Afaik flash looks for a crossdomain.xml (http://news.ycombinator.com/crossdomain.xml) file to detect if it's allowed to download this content. You find a possible solution here.
The Flash Player is in it's own security sandbox inside the browser. It cannot access URLs outside the domain from which it was served unless it is given permission.
That permission is given through the use of a crossdomain.xml file. There is no cross domain file on the ycombinator site, as you can see here: http://news.ycombinator.com/crossdomain.xml . As such flash will not be able to access that URL unless the swf file is also served off ycombinator.
I'm unclear why this works when you test it locally; you should be having the same issue.
If that is your site, you can create a cross domain file and add it to the root directory and your problems should go away. More info here:
http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html
If you need an alternate feed to test with, you can use The Flex Show's RSS:
http://www.theflexshow.com/blog/rss.cfm?mode=full
(our Cross Domain for your reference)
http://www.theflexshow.com/crossdomain.xml
I'm unclear why this works when you test it locally; you should be having the same issue.
This is because when you are running from Flash Builder, the output file is a local file and hence the security domain is different as opposed to a SWF hosted in a web server.
I'm creating an ASP.NET application which uses Facebook Connect and fbml tags. It also uses the LinkedIn widget. When I run this app in any browser, there are no warnings and everything works. However, in IE, a message like this comes up:
Security Warning:
The current webpage is trying to open a site in your Trusted sites list. Do you want to allow this?
Current site:http://www.facebook.com
Trusted site:http://localhost
(same for LinkedIn.com). I know how to fix this from a client perspective and to stop the security warning showing up. However, is it possible to ensure this message doesn't come up as it could be off putting for users who don't know how to suppress this warning? I haven't tried uploading it to my webhost, so not sure if this message will appear for everyone in production. However, I always get it on my local machine.
(None of my pages use SSL, so I don't think that's the issue. I tried using FB's HTTPS urls but that didn't make a difference).
Thanks
I have come across the IE message many times. Whilst this might not be the case here I always check in Firebug to see if any requests are going to Https (using Net tab). If may be the case that something you are referencing is itself making a call to something else.
Often you get that message if you are serving an https page and then going to fetch an image over http.
Might not help but is the first thing I do in this situation.
I have an HttpModule that displays images that follow a certain URL pattern. For example, /images/employees/jason.jpg is handled by the module, but all other images aren't. It works just fine on my local machine (Cassini and IIS 7). However, the IIS6 production server isn't working. I've had the hosting company map the images to the ASP.NET worker process. Now, all images are showing that they can't render except for the images that should be rendered by the module. They are working correct.
I ran an HttpWatch instance on one of the files and received the following error:
ERROR_HTTP_INVALID_SERVER_RESPONSE
Any ideas?
Final Answer:
The module needed to be updated to transmit server files. So, I added an else to my original if and checked to see if it was an image type (by using a utility method) then use Response.TransmitFile() to pass on the file to the browser.
I then ran into a spacing issue with the images. This was because I forgot that I had .aspx files registered as an image type to perform the testing. So each page would crash during the debug process or add padding that was established from CSS. Doh!
Everything is just peachy now. Thanks to all!
There's doesn't seem to be anything particularly wrong with your module, so the issue must be coming from somewhere else. Have you got security that might be blocking the images? What actually gets returned when you request a static file?
I'd suggest seeing what gets returned (and its headers) using something like firebug to check things like the response code, content type, the actual raw response, etc...
check your web.config IIS6 / IIS7 have different places to add modules and depends on what mode your IIS7 is running in.
http://arcware.net/use-a-single-web-config-for-iis6-and-iis7