5 Replies Latest reply on Feb 18, 2011 12:36 PM by JunoJulien

    Another Security.allowDomain question


      I have a Flex application causing me a lot of greif due to the infamous ** Security Sandbox Violation **

      After spending a few days in the doc/reference and online help, I hope that someone here can give me some insight.


      Ok, swf files hosted on "domainA", served from a page from "domainB".

      Javascript call from domainB to domainA ending in:



      *** Security Sandbox Violation ***

      SecurityDomain 'http://domainB/1685555-02-01-01.m3u' tried to access incompatible context 'http://domainA/Main.swf'

      Extract from Main.mxml, where I call a wildcard allowDomain:
      <mx:Application ... preinitialize="application1_preinitializeHandler(event)">
      protected function application1_preinitializeHandler(event:FlexEvent):void {

      Now, according to what I have seen, this should allow any domain to access the swf through javascript...but it is not.

      I have 2 things out of the ordinary, and maybe the problem lies there:

      - domainA and domanB are respectively 5 and 6 parts domain names (www.julien.devbox.okdown.com and static.julien.devbox.domain.co.uk)

      - The Main.swf uses 2 Libraries, built separately, and there is no reference to Security.allowDomain, but really doubt this is needed.

      Please, any insight would be very very welcome.

      Best regards,

        • 1. Re: Another Security.allowDomain question
          Flex harUI Adobe Employee

          I assume you've also called ExternalInterface.addCallback?  Do you know if

          the preinitialize handler ran before JS attempst the call?

          1 person found this helpful
          • 2. Re: Another Security.allowDomain question
            JunoJulien Level 1



            Everything is working fine when I use the 2 same domains, so addCallBack does its job as expected...

            The JS function is called well after the preinit handler, I made sure through step by step debugging...

            No other Security.* call happens apart from the allowDomain one, just loading crossdomain policy for a server side call which works perfectly from another domain...



            I have added a call to Security.allowDomain("*") just before the ExternalInterface.addCallback as well (me being desperate!), and it worked

            It has been added in my "class ExternalInterfaceMediator extends Mediator implements IMediator" where I addCallback....

            This method was in one of the external library.... Does this mean the allowDomain calls must reside in every different libraries/main swf registering the callback??

            Damn me if that is so!

            • 3. Re: Another Security.allowDomain question
              Darrell Loverin Level 4

              Security.allowDomain() only applies to the swf it is called from. If you want to allow access to multiple swfs then you will need to call Security.allowDomain() from each swf.




              • 4. Re: Another Security.allowDomain question
                Flex harUI Adobe Employee

                There must be code in a SWF that calls allowDomain in order to allow code in

                that SWF to be called.  So, if you are using modules or sub-apps or RSLs, if

                code in those SWFs are the callback, you need to have code in those SWFs

                that call allowDomain.  Calling allowDomain from the main app's code only

                helps for code in the main SWF.


                There is a function on IFlexModuleFactory that calls allowDomain on all

                known modules and RSLs.

                • 5. Re: Another Security.allowDomain question
                  JunoJulien Level 1

                  Thank you for the IFlexModuleFactory advice!