10 Replies Latest reply on Dec 9, 2010 2:14 PM by Flex harUI

    CrossDomain.xml

    mattcom Level 1

      Ok, so I've been up and down the web trying to figure out what's going on here.

       

      I have a few HTTPservice calls to a PHP page on a different domain, which serves an XML response.

       

      While the swf is on my personal computer, the program works fine.

       

      As soon as I upload the swf to my hosting server, I get the following error: "[RPC Fault faultString="Security error accessing url" faultCode="Channel.Security.Error" faultDetail="Destination: DefaultHTTP"]"

       

      Based on all the research I've been able to manage, the problem has to do with a crossdomain.xml, which is supposedly supposed to be installed at the root level of the domain, such as: http://domain.com/crossdomain.xml

       

      My swf is has even been installed at http://domain.com/images/swfFile.swf, and requests information from http://domain.com/httpservices.php, along with having http://domain.com/crossdomain.xml,  and I still can't get the darn thing to work.

       

       

      What am I missing here?

       

      Please help!

       

      Thanks

        • 1. Re: CrossDomain.xml
          Flex harUI Adobe Employee

          What is in your crossdomain.xml?  Have you tried a network monitor to make

          sure the requests are going and coming as expected?  Make sure you see the

          crossdomain.xml get loaded.

          • 2. Re: CrossDomain.xml
            mattcom Level 1

            <?xml version="1.0"?>
            <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
            <cross-domain-policy>  
            <!--This domain can accept the SOAPAction header from a SWF file from www.example.com -->  
            <allow-http-request-headers-from domain="*" headers="SOAPAction"/>
            </cross-domain-policy>

             

             

            I have not tried a network monitor as I'm using shared hosting.

            • 3. Re: CrossDomain.xml
              Flex harUI Adobe Employee

              Are you sure the headers is right?

              • 4. Re: CrossDomain.xml
                mattcom Level 1

                I got that example off someone elses site.  Here's the one off Adobe docs:

                 

                <?xml version="1.0"?>
                <!-- http://www.foo.com/crossdomain.xml -->
                <cross-domain-policy>
                    <allow-access-from domain="www.friendOfFoo.com"/>
                    <allow-access-from domain="*.foo.com"/>
                    <allow-access-from domain="105.216.0.40"/>
                </cross-domain-policy>

                 

                 

                I tried that too, but to no avail.

                • 5. Re: CrossDomain.xml
                  mattcom Level 1

                  The thing that I don't understand is, why the swf file cares.  It's the PHP page that's delivering the data, and it doesn't care where the request comes from.  Why on earth does the flex swf care where it gets the data & have security issues.  If security needs to be addressed, it should be addressed at the PHP level.

                  • 6. Re: CrossDomain.xml
                    Devtron Level 3

                    What is the URL of your HTTPService objects?

                     

                    Is that included in your cross domain file?

                     

                    Are you putting the cross domain file in the correct place? That is tricky. What Adobe refers to as "root folder" is actually the server's virtual directory root, NOT your sandbox root.

                     

                    I kept putting the crossdomain.xml file in my sandbox, and kept wondering why my app would never authenticate. It never threw an error either though.

                     

                    Finally I realized that what Adobe was calling the "root", is actually the virtual directory root. Since I use IIS, it was C:\inpetpub\wwwroot. Not my application sandbox root, which was more like C:\MyFolder\MyApplication\<here you go>

                    • 7. Re: CrossDomain.xml
                      mattcom Level 1

                      After watching this video; http://tv.adobe.com/watch/how-to-develop-secure-flash-platform-apps/crossdomain-policy-fil es/

                       

                      I discovered a missing line of code, and syntax differences.  This now works, in the same place as my previous crossdomain.xml file, aka http://domain.com/crossdomain.xml

                       

                      The new working file is:

                       

                      <?xml version="1.0"?>
                      <cross-domain-policy>  
                          <site-control permitted-cross-domain-policies="master-only"/>
                          <allow-access-from domain="*"/>
                      </cross-domain-policy>

                       

                       

                      VS

                       

                      <?xml version="1.0"?>
                      <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
                      <cross-domain-policy>  
                      <!--This domain can accept the SOAPAction header from a SWF file from www.example.com -->  
                      <allow-http-request-headers-from domain="*" headers="SOAPAction"/>
                      </cross-domain-policy>

                      • 8. Re: CrossDomain.xml
                        mattcom Level 1

                        The only remaining question I have, I guess, is WHY.

                         

                        WHY did the swf work on my local PC installation while calling up data from my HTTPService on a http://domain.com when domain.com did NOT have a crossdomain.xml file, and then require a crossdomain.xml file, simply because I moved the swf to domain.com??

                         

                         

                        Is there some inherant trust for localhost on my PC from http://domain.com.

                         

                        What I mean is.  IF crossdomain.xml is supposed to deny anything that's not listed in the allow-access-from tag.  Why did it NOT give me this error prior to uploading my content to the server?  Should it not have given me the same error while running it from my localhost PC?  Does this mean that as long as a 'hacker' is requesting information from his local PC, he can bypass my crossdomain.xml file restrictions?

                         

                         

                        Thanks for your input.

                        • 9. Re: CrossDomain.xml
                          Devtron Level 3

                          yeah I only discovered how to use CrossDomain.xml file "goodness" by reading the Flashbuilder4 Bible. In it, there is a tiny little footnote about a URL that covers better documentation. In there, it had a much better explanation of the properties.

                           

                          http://kb2.adobe.com/cps/142/tn_14213.html

                           

                          ^ it still does not cover the attributes you posted though. this is where documentation is bizarre. Its not very consistent!!

                           

                          I believe the reason localhost works fine is because the debugger version of the SWF is un-restricted. I think it would be difficult to replicate server settings on a local box. I may be wrong but thats my guess at it.

                          • 10. Re: CrossDomain.xml
                            Flex harUI Adobe Employee

                            If you run from file: there are different security rules than running from

                            http: or https: