Flash AS3 - domain.com/crossdomain.xml and security error

Tag: actionscript-3 Author: xiaocong_1989 Date: 2012-02-28

In code I use this before URLLoader (swf will be used with many different domains and this will be changing in time):

Security.allowDomain("*");

In http://domain.com/crossdomain.xml, I have this for test:

<?xml version="1.0" ?>
<cross-domain-policy>
  <site-control permitted-cross-domain-policies="master-only"/>
  <allow-access-from domain="*"/>
  <allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

I am trying to access http://domain.com/files/filename.bin and still get security error.

Ok, I used crossdomainmaker.com to create access for any domain (for test) and copied it directly into file server and also test if domain.com/crossdomain.xml is accessible. I checked flashlog.txt and found that domain.com/crossdomain.xml is loaded but will be ignored because of its syntax error - its generated by crossdomainmaker website and also correct with specifications and examples over internet, so what can I do?

Have you tried using firebug or something similar to look at the files your SWF is trying to load, and any errors that may pop up?
URLLoader gets standard security error, because of different domain for swf and file to load. But like I said, domain with file has its crossdomain.xml file in root with full allow.
Not the flash error - the HTTP error codes in firebug. You can see where it's trying to download the crossdomain from etc.
Do you have the crossdomain.xml on your application server or on the remote server? From your example, it looks like the crossdomain.xml and filename.bin are on the same domain.
Yes, crossdomain.xml is on same server as files. I cant put anything other than only swf file on application server. I want my external file server to allow access to hosted files for any swf file. What should I do more to make it?

Best Answer

Cross-domain policy errors are always a pain in the ass. Can you post the exact error and when you're getting it. Also, turn on policy logging: http://help.adobe.com/en_US/flex/using/WS2db454920e96a9e51e63e3d11c0bf69084-7ec4.html

With that, you can see if the file is being loaded, if it's being superseeded by another one, or roughly why it's being rejected.

In the meantime, some links that might be useful.

Cross-domain policy spec: http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html (explains exactly what's going on behind the scenes)

Cross-domain maker: http://www.crossdomainmaker.com/ (easy policy file syntax)

Some security tips when dealing with cross-domain: http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html#articlecontentAdobe_numberedheader_3

Btw, setting a policy of "*" is a huge security hole.

comments:

Ok, I used crossdomainmaker.com to create access for any domain (for test) and copied it directly into file server and also test if domain.com/crossdomain.xml is accessible. I checked flashlog.txt and found that domain.com/crossdomain.xml is loaded but will be ignored because of its syntax error - its generated by crossdomainmaker website and also correct with specifications and examples over internet, so what can I do?
does it give you an idea of the syntax error? can you post it here?
Nope, it only said that crossdomain.xml will be ignored because of its syntax error and gives me dead link to adobe documentation (all in my native language, not english). But I solved my problem. Something wrong in crossdomain.xml file I posted in question. This one from crossdomainmaker works now, but I had to completly clear any cache, because also browser restart was not enough. I forgot about this little issue. Thanks for all links, that was very helpful.