17 Replies Latest reply on Feb 28, 2011 4:05 PM by Flex harUI

    Crossdomain policy

    Stere0

      Hi,

      I'm having a slight problem with a sandbox security error with our development project. Our website is hosted remotely but resources for the website are stored on our local server. Flash player requires a crossdomain.xml file be kept on the domain where the 'resource' server is to handle security permissions. I am having a problem when I try to use the resources. I can use it if I store the website locally and I can also use it If the browser has accessed it before. I have tested my crossdomain policy file by turning it on and off to prove that it does successfully grant access. Which makes me believe that the problem is arising locally because our resource server is located behind our company server and the sandbox security error happens at our company server when trying to access the resource server.


      Thanks

      Untitled.png

      ***crossdomain.xml****
      <?xml version="1.0"?>
      <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
      <cross-domain-policy>
         <site-control permitted-cross-domain-policies="by-content-type"/>
         <allow-access-from domain="*" secure="false"/>
         <allow-http-request-headers-from domain="*" headers="*" secure="false"/>
      </cross-domain-policy>
        • 1. Re: Crossdomain policy
          Flex harUI Adobe Employee

          What is the error you are getting?

          • 2. Re: Crossdomain policy
            Stere0 Level 1

            text = "Error #2048"

            type = "securityError"

            • 3. Re: Crossdomain policy
              Flex harUI Adobe Employee

              Usually it gives more information about who is accessing what.

              • 4. Re: Crossdomain policy
                druva.flash

                Client is contacting company server and so it tries to get the crossdomain xml from company server.

                 

                In your diagram, you have not mentioned, is the company server pulling the resources and feeding to client or its redirecting the client to resource server for fetching the resources?

                 

                if company server is redirecting the client to resource server then crossdomain.xml should be in the resource server,

                else if company server is fetching the resources and feeding to client the crossdomain.xml shoudl be in company server.

                 

                Just copy past the complete error so it will be more clear for us to understand

                 

                 

                • 5. Re: Crossdomain policy
                  Stere0 Level 1

                  Thanks for the quick response. The company server redirects the traffic to the resource server.

                   

                  (mx.messaging.messages::ErrorMessage)#0

                    body = (null)

                    clientId = "DirectHTTPChannel0"

                    correlationId = "49B81EAD-DA31-811F-562C-3AE70A598989"

                    destination = ""

                    extendedData = (null)

                    faultCode = "Channel.Security.Error"

                    faultDetail = "Destination: DefaultHTTP"

                    faultString = "Security error accessing url"

                    headers = (Object)#1

                      DSStatusCode = 0

                    messageId = "F1B58DC8-8913-133F-180F-3AE70AB35886"

                    rootCause = (flash.events::SecurityErrorEvent)#2

                      bubbles = false

                      cancelable = false

                      currentTarget = (flash.net::URLLoader)#3

                        bytesLoaded = 0

                        bytesTotal = 0

                        data = (null)

                        dataFormat = "text"

                      errorID = 0

                      eventPhase = 2

                      target = (flash.net::URLLoader)#3

                      text = "Error #2048"

                      type = "securityError"

                    timestamp = 0

                    timeToLive = 0

                  • 6. Re: Crossdomain policy
                    Stere0 Level 1

                    I've gone and removed the company server to test from one host machine to another and I am still getting the same problem.Untitled2.png

                    • 7. Re: Crossdomain policy
                      Stere0 Level 1

                      Whats strange is that if i put the url directly into the browser for the reosurce server to check if i can access it, from then on the swf functions properly. Otherwise i get the error.

                      • 8. Re: Crossdomain policy
                        Flex harUI Adobe Employee

                        Use a network monitor to see if the crossdomain.xml is being fetched or not.

                        • 9. Re: Crossdomain policy
                          Stere0 Level 1

                          I've installed fiddler for firefox and it seems to be checking for the crosssomian policy file.

                          Would it matter if im calling a server side script (XML) on the resource server to pull the information needed to return to the client?

                          • 10. Re: Crossdomain policy
                            Flex harUI Adobe Employee

                            If it checks for the crossdomain.xml, does it actually get served and is it

                            the one you expected?

                             

                            Is it served before other requests to that server?

                             

                            Is the url for the crossdomain.xml in the root of that server?

                             

                            Is the url you are requesting of the same domain as the crossdomain.xml?  No

                            subtle differences like http://www.server1.com/ vs http://server1.com?

                             

                            Is there some security on the server that would disallow fetching of the

                            resource until some other http access is successful?

                            • 11. Re: Crossdomain policy
                              Stere0 Level 1

                              - Im not sure. How do i check if it is?

                              - Yes it should be, i am using a Security.loadPolicyFile after initialization and before the resources are being requested just to be safe.

                              - Yes

                              - My cross domain file is set to use allow-access-from domain="*" for development purposes

                              - Investigating this last one but there shouldn't be anything wrong affecting it. It also wouldn't make sense that some server security would be the problem because if i access the resources directly to enable it to work properly, it only occurs to work properly in that particular browser. Changing browsers wouldn't affect the access server side and there for is probably associated with that instance of flash player.

                               

                               

                              Does my crossdomain file meet flashes current security requirements. I read through this article (http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html) and it seems to be up to par but its hard to decipher what the bare minimum is just to allow crossdomain functionality in flash player to just work. I'll worry about tying up security holes after i get this working properly.

                               

                              Thanks for the help, It's much appreciated.

                              • 12. Re: Crossdomain policy
                                Flex harUI Adobe Employee

                                A network monitor should show the packets and the order in which things are

                                fetched.

                                 

                                It doesn't matter if you have "*" in the crossdomain if the request is for a

                                domain like www.mysite.com and the crossdomain.xml is coming from a slightly

                                different domain name like just mysite.com.  The domain portion has to match

                                exactly.

                                • 13. Re: Crossdomain policy
                                  Stere0 Level 1

                                  So I am using MS Network Monitor and have captured the process from when the crossdomain file is accessed to when the swf attempst to contact the resource server. I have bolded what i belive to be the crossdomain file being read. However i still get a security error.

                                   

                                   

                                  1:26:19 PM 28/02/2011 BEHRPC44  BEHRPC09  TCP TCP:Flags=......S., SrcPort=54476, DstPort=HTTP(80), PayloadLen=0, Seq=2136793160, Ack=0, Win=8192 ( Negotiating scale factor 0x2 ) = 8192 {TCP:8544, IPv4:27}

                                  1:26:19 PM 28/02/2011 BEHRPC09  BEHRPC44  TCP TCP:Flags=...A..S., SrcPort=HTTP(80), DstPort=54476, PayloadLen=0, Seq=3457194333, Ack=2136793161, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152 {TCP:8544, IPv4:27}

                                  1:26:19 PM 28/02/2011 BEHRPC44  BEHRPC09  TCP TCP:Flags=...A...., SrcPort=54476, DstPort=HTTP(80), PayloadLen=0, Seq=2136793161, Ack=3457194334, Win=16425 (scale factor 0x2) = 65700 {TCP:8544, IPv4:27}

                                  1:26:19 PM 28/02/2011 BEHRPC44  BEHRPC09  HTTP HTTP:Request, GET /crossdomain.xml {HTTP:8545, TCP:8544, IPv4:27}

                                  1:26:19 PM 28/02/2011 BEHRPC09  BEHRPC44  HTTP HTTP:Response, HTTP/1.1, Status: Ok, URL: /crossdomain.xml {HTTP:8545, TCP:8544, IPv4:27}

                                  1:26:20 PM 28/02/2011 BEHRPC44  BEHRPC09  TCP TCP:Flags=...A...., SrcPort=54476, DstPort=HTTP(80), PayloadLen=0, Seq=2136793639, Ack=3457194895, Win=16284 (scale factor 0x2) = 65136 {TCP:8544, IPv4:27}

                                  1:26:33 PM 28/02/2011 BEHRPC44  BEHRPC09  TCP TCP:Flags=......S., SrcPort=54477, DstPort=HTTPS(443), PayloadLen=0, Seq=1385287821, Ack=0, Win=8192 ( Negotiating scale factor 0x2 ) = 8192 {TCP:8556, IPv4:27}

                                  1:26:33 PM 28/02/2011 BEHRPC09  BEHRPC44  TCP TCP:Flags=...A..S., SrcPort=HTTPS(443), DstPort=54477, PayloadLen=0, Seq=3648600731, Ack=1385287822, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152 {TCP:8556, IPv4:27}

                                  1:26:33 PM 28/02/2011 BEHRPC44  BEHRPC09  TCP TCP:Flags=...A...., SrcPort=54477, DstPort=HTTPS(443), PayloadLen=0, Seq=1385287822, Ack=3648600732, Win=16425 (scale factor 0x2) = 65700 {TCP:8556, IPv4:27}

                                  1:26:33 PM 28/02/2011 BEHRPC44  BEHRPC09  TLS TLS:TLS Rec Layer-1 HandShake: Client Hello. {TLS:8558, SSLVersionSelector:8557, TCP:8556, IPv4:27}

                                  1:26:33 PM 28/02/2011 BEHRPC09  BEHRPC44  TLS TLS:TLS Rec Layer-1 HandShake: Server Hello.; TLS Rec Layer-2 Cipher Change Spec; TLS Rec Layer-3 HandShake: Encrypted Handshake Message. {TLS:8558, SSLVersionSelector:8557, TCP:8556, IPv4:27}

                                  1:26:33 PM 28/02/2011 BEHRPC44  BEHRPC09  TLS TLS:TLS Rec Layer-1 Cipher Change Spec; TLS Rec Layer-2 HandShake: Encrypted Handshake Message. {TLS:8558, SSLVersionSelector:8557, TCP:8556, IPv4:27}

                                  1:26:33 PM 28/02/2011 BEHRPC44  BEHRPC09  TCP TCP:Flags=...A...F, SrcPort=54477, DstPort=HTTPS(443), PayloadLen=0, Seq=1385288017, Ack=3648600877, Win=16388 (scale factor 0x2) = 65552 {TCP:8556, IPv4:27}

                                  1:26:33 PM 28/02/2011 BEHRPC09  BEHRPC44  TCP TCP:Flags=...A...., SrcPort=HTTPS(443), DstPort=54477, PayloadLen=0, Seq=3648600877, Ack=1385288018, Win=68 (scale factor 0x8) = 17408 {TCP:8556, IPv4:27}

                                  1:26:33 PM 28/02/2011 BEHRPC09  BEHRPC44  TCP TCP:Flags=...A.R.., SrcPort=HTTPS(443), DstPort=54477, PayloadLen=0, Seq=3648600877, Ack=1385288018, Win=0 (scale factor 0x8) = 0 {TCP:8556, IPv4:27}

                                  • 14. Re: Crossdomain policy
                                    Flex harUI Adobe Employee

                                    What are all the other entries?

                                    • 15. Re: Crossdomain policy
                                      Stere0 Level 1

                                      At 1:26:33 I try to request access to my resources by providing the server side script with a username and password sent through a HTTPService. I assume that everything under that time is the client trying to communicate with the server without flashplayers permission.

                                      • 16. Re: Crossdomain policy
                                        Stere0 Level 1

                                        Man this is annoying.

                                         

                                        So if i put http://xxx.xx.xx.x/website/website.html  and try to use the HTTPService to login i get the sandbox error.
                                        If i put  https://yyy.yy.yy.y/crossdomain.xml  in the browser and access it everything looks fine.

                                        when i go back and try to use the HTTPService from http://xxx.xx.xx.x/website/website.html  everything now works until i close the browser which i assume clears the cache.

                                         

                                        ********crossdomain.xml*********

                                        <?xml version="1.0" ?>
                                        <cross-domain-policy>
                                         
                                        <site-control permitted-cross-domain-policies="master-only"/>
                                         
                                        <allow-access-from domain="*"/>
                                         
                                        <allow-http-request-headers-from domain="*" headers="*"/>
                                        </cross-domain-policy>


                                        ********Action Script*************

                                        Security.loadPolicyFile("https://172.22.50.5/crossdomain.xml");

                                        • 17. Re: Crossdomain policy
                                          Flex harUI Adobe Employee

                                          Well, I'm not sure I can be of more help.  This is outside my area of expertise.  I don't normally look at network monitor output, I just know that most folks use it to solve these kinds of problems and a monitor called Charles is quite popular.

                                           

                                          Alex Harui

                                          Flex SDK Developer

                                          Adobe Systems Inc.

                                          Blog: http://blogs.adobe.com/aharui