1 Reply Latest reply on Aug 28, 2009 3:20 AM by bigEsmurf

    Cross-domain security problem

    bigEsmurf

      Hi all,

       

      I'm developing a flash-application for teachers (application.swf), which loads a 'report.swf' from it's own domain (www.maindomain.nl), and the report.swf loads xml and swf's from a different domain (www.sourcedomain.nl). I've added a crossdomain.xml file to the sourcedomain, and when I check my logs, it seems that that works fine. For testingpurposes I've used the most unrestrictive crossdomain.xml from Adobe, which allows everything. As you see below, it looks like everything works fine with the crossdomain.xml.

       

      Still, I get lots of Security Sandbox Violation messages (see below), and I just don't get why that is happening... can anybody help me?

       

      Thanx,

       

      Eric

       

      flashlog:

      *** Security Sandbox Violation ***
      SecurityDomain 'http://www.maindomain.nl/' tried to access incompatible context ' http://www.sourcedomain.nl/data/xml/dbdata.xml'

      (*100 )

       

      policyfile log:

      OK: Root-level SWF loaded: http://www.maindomain.nl/application.swf
      OK: Searching for <allow-access-from> in policy files to authorize data loading from resource at http://www.sourcedomain.nl/data/xml/dbdata.xml by requestor from http://www.maindomain.nl/application.swf
      OK: Searching for <allow-access-from> in policy files to authorize data loading from resource at http://www.sourcedomain.nl/data/css/dtrapportage.css by requestor from http://www.maindomain.nl/rapportage/report.swf
      Warning: Ignoring 'secure' attribute in policy file from http://www.sourcedomain.nl/crossdomain.xml.  The 'secure' attribute is only permitted in HTTPS and socket policy files.  See http://www.adobe.com/go/strict_policy_files for details.
      Warning: Ignoring 'secure' attribute in policy file from http://www.sourcedomain.nl/crossdomain.xml.  The 'secure' attribute is only permitted in HTTPS and socket policy files.  See http://www.adobe.com/go/strict_policy_files for details.
      OK: Policy file accepted: http://www.sourcedomain.nl/crossdomain.xml
      OK: Request for resource at http://www.sourcedomain.nl/data/xml/dbdata.xml by requestor from http://www.maindomain.nl/application.swf is permitted due to policy file at http://www.sourcedomain.nl/crossdomain.xml
      OK: Request for resource at http://www.sourcedomain.nl/data/css/dtrapportage.css by requestor from http://www.maindomain.nl/rapportage/report.swf is permitted due to policy file at http://www.sourcedomain.nl/crossdomain.xml
      OK: Searching for <allow-access-from> in policy files to authorize data loading from resource at http://www.sourcedomain.nl/data/xml/jaargroep3.xml by requestor from http://www.maindomain.nl/application.swf
      OK: Request for resource at http://www.sourcedomain.nl/data/xml/jaargroep3.xml by requestor from http://www.maindomain.nl/application.swf is permitted due to policy file at http://www.sourcedomain.nl/crossdomain.xml
      OK: Searching for <allow-access-from> in policy files to authorize data loading from resource at http://www.sourcedomain.nl/data/xml/jaargroep4.xml by requestor from http://www.maindomain.nl/application.swf
      OK: Request for resource at http://www.sourcedomain.nl/data/xml/jaargroep4.xml by requestor from http://www.maindomain.nl/application.swf is permitted due to policy file at http://www.sourcedomain.nl/crossdomain.xml
      OK: Searching for <allow-access-from> in policy files to authorize data loading from resource at http://www.sourcedomain.nl/data/xml/jaargroep5.xml by requestor from http://www.maindomain.nl/application.swf
      OK: Request for resource at http://www.sourcedomain.nl/data/xml/jaargroep5.xml by requestor from http://www.maindomain.nl/application.swf is permitted due to policy file at http://www.sourcedomain.nl/crossdomain.xml

        • 1. Re: Cross-domain security problem
          bigEsmurf Level 1

          Oh, I've noticed something. In the report.swf I load a simple pulldown.swf, which contains no scripting, but it is filled with text from the dbdata.xml file. When I load the pulldown.swf from the maindomain.nl, it works fine. When I load the pulldown.swf from the sourcedomain.nl, it starts generating those Security Sandbox Violations.