I've been struggling with flash permissions and crossdomain.xml file 5 days already... Here is the situation I have:
I've wrote flash application which records audio on one server and uploads it on another server. So, as you likely guessed, I faced that security sandbox violation exceptions/errors:
Error #2044: Unhandled securityError:. text=Error #2170: Security sandbox violation: https://192.168.10.10:9090/foo/bar cannot send HTTP headers to https://192.168.10.11/some/path
I thought that adding the following crossdomain.xml:
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd> <cross-domain-policy> <site-control permitted-cross-domain-policies="all"/> <allow-http-request-headers-from domain="*" headers="*" secure="true" /> <allow-access-from domain="*" secure="true" /> </cross-domain-policy>
to the root of the server will do all the tricks (ha, how naive I was).
Ok, I put it to the root of my server, but error didn't gone for some reason. I looked at the logs flash player produces and the following was stated there:
Warning: Failed to load policy file from https://192.168.22.103/crossdomain.xml
But, wait a moment, I can see this file via browser at exactly this address (though this is https and it asks me to accept certificate as usual).
So could please somebody help me?
That's the most frustrating thing I faced ever.
Thanks you all for any help, it is much appreciated!
Hi, Flex HarUI,
Could you, please, be more specific? Can I accept this certificate in the Flex or skip this check somehow (say, like addind "-k" parameter to curl request). I thought too that this can be the issue, but I didn't find any info about such cases anywhere.
I don't think there is much intelligence in the FP's fetch of crossdomain.xml. I'm no expert in this area, but I think if you fetch crossdomain.xml from the browser and it puts up a dialog about the certificate then the response from the server was probably not status==SUCCESS and at that point the FP will just give up. You would need a legitimate certificate instead. You should get one anyway so as not to annoy your users when you eventually deploy.