We have a browser flash application which loads the YouTube Embedded AS3 Player to play some YouTube videos (https://developers.google.com/youtube/flash_api_reference)
Yes I know the Flash API is deprecated, Flash is dying, etc. but it is currently the only practical platform for our complex 3D graphic authoring tool, which just as one feature plays YouTube videos; and it would be crazy to force our customers to host their videos on Vimeo to answer this problem.
Everything has been working fine so far (no changes in code or server), until 2 weeks ago, where we were not able to play YouTube videos from the app.
I found that the url format we were using so far was giving a file not found error:
http://www.youtube.com/v/<my video code>?version=3&autoplay=1
After investigating a bit, it seems that Google updated their API Services terms of service.
So following some directions in their page, I changed http to https:
https://www.youtube.com/v/<my video code>?version=3&autoplay=1
When my app tries to load the YouTube player using that url, the Event.COMPLETE event is fired and the player data seems to be loaded fine, but in this part where the YouTube player is assigned to a var:
private function onLoaderComplete(e:Event):void {
var player = e.currentTarget.content;
....
}
It throws the following error:
*** Security Sandbox Violation ***
SecurityDomain http://<my app url> tried to access incompatible context 'https://www.youtube.com/v/<my video code>?version=3&autoplay=1'
SecurityError: Error #2121: Security sandbox violation: LoaderInfo.content: http://<my app url> cannot access https://www.youtube.com/v/<my video code>?version=3&autoplay=1. This may be worked around by calling Security.allowDomain.
I have set all the Security.allowDomain and Security.allowInsecureDomain I can think of (*.youtube.com, *.ytimg.com, https ://www.youtube.com, https://s.ytimg.com, etc. and any variation of http and https I can think of). So I don't think this is the problem.
I tried the solution in this thread, where it recommends to use this line to solve Error #2121:
loaderContext.securityDomain = SecurityDomain.currentDomain;
Now it doesn't even fire the Event.COMPLETE event. Only a SecurityErrorEvent.SECURITY_ERROR event, so no content is loaded:
*** Security Sandbox Violation ***
Connection to https://www.youtube.com/v/<my video code>?version=3&autoplay=1 halted - not permitted from http://<my app url>
httpStatus (error): [HTTPStatusEvent type="httpStatus" bubbles=false cancelable=false eventPhase=2 status=0 redirected=true responseURL=null]
SecurityError:
[SecurityErrorEvent type="securityError" bubbles=false cancelable=false eventPhase=2 text="Error #2048: Security sandbox violation: http://<my app url> cannot load data from https://www.youtube.com/v/<my video code>?version=3&autoplay=1."]
So I think this is a step backwards.
I thought it may be an HTTP to HTTPS issue, but on the other hand, loading the YouTube Chromeless AS3 player API directly (without play/stop and time line controls), works fine:
https://www.youtube.com/apiplayer?version=3&video_id=<my video code>
Any useful hint will be appreciated.
You got the error Security Sandbox Violation because you are trying to access a web/server file from a local file on your computer which Adobe security does not like. Check out this link
Found also this thread which states that this can happen when the sandbox is configured to be used one way, but is being used in another way by mistake.
Check these related links:
Security Sandbox Violation with Youtube API
Security Sandbox Violation Flash AS3
I ran into the same problem. It seems that Youtube now has a more restricted version of the crossdomain.xml (https://www.youtube.com/crossdomain.xml):
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="s.ytimg.com" />
whereas it should be
<allow-access-from domain="*" />
Related
I followed a tutorial on how to make a multiplayer tetris game, here is the repo:
https://github.com/Leftier/tetris
It worked just fine on localhost so I tried to deploy it in heroku (https://tetrixtest.herokuapp.com/ --ASD to move Q/E to rotate) but I get the following error:
WebSocket connection to 'wss://tetrixtest.herokuapp.com/' failed: Error during WebSocket handshake: Unexpected response code: 200
while trying to create the webSocket in this line (connection-manager.js line 14):
this.conn = new WebSocket(`wss://${window.location.hostname}:${window.location.port}`)
I don't know much about webSockets,
at first I thought that heroku was not able to handle websockets but that wasn't the case so I tried using the link directly as an argument instead of reading it from the browser but still the same issue.
I would like some clues/hints about why does this happens, I searched in google and github, but I only found issues related to socket.io
For me the solution was to turn on "Session affinity" by running this command heroku features:enable http-session-affinity
More info at https://devcenter.heroku.com/articles/session-affinity
Session affinity, sometimes referred to as sticky sessions, is a
platform feature that associates all HTTP requests coming from an
end-user with a single application instance (web dyno).
I downloaded the library as3-websocket-server for a desktop AIR app and it works fine on Chrome.
When I use Firefox it is ok for HTTP pages, while I get an error message if I test it on HTTPS pages:
SecurityError: The operation is insecure."
I read that I should use wss:// rather than ws://, but the AIR server doesn't work with this protocol.
I tried to convert all "Socket" to "SecureSocket" in the Air App but I get an error:
1118: Implicit coercion of a value with static type flash.net:Socket
to a possibly unrelated type flash.net:SecureSocket
Any idea on how to have the server available for both protocols? On the client side I could just check if I'm on HTTP or HTTPS and call the right websocket.
Thanks
I'm attempting to write a file to an ftp server with ActionScript. I've put a crossdomain.xml in the root directory, and my application accepts it: OK: Policy file accepted: ftp://ftp.mydomain.com/crossdomain.xml. However I still get a security sandbox violation:
*** Security Sandbox Violation ***
Connection to ftp://ftp.mydomain.com:21 halted - not permitted from https://www.mydomain.com.localhost/path/App.swf'
Does this have something to do with the .localhost loopback, or is there something off with my policy file? Something else? Any help is greatly appreciated.
P.S.: I've also tried Security.allowDomain and Security.allowInsecureDomain, but to no avail.
I am trying to write a use-anywhere (web, air, mobile) OAuth library for AS3 that is flexible enough to use with any OAuth site or near OAuth.
My sample app I am writing authenticates with Google and I want to write an app that uses google drive.
At the moment the Air and mobile apps work fine but the web flash player app keeps giving me this error:
Error #2044: Unhandled securityError:. text=Error #2048: Security sandbox violation: http://localhost:81/OAuthWebExample.swf cannot load data from https://accounts.google.com/o/oauth2/token.
(I get the same error when on a non-localhost domain on port 80)
I have looked at https://accounts.google.com/crossdomain.xml which has:
<site-control permitted-cross-domain-policies="by-content-type" />
I am not sure what that means...
I am pretty sure that it is possible to get flash to talk to these google APIs. What can I do to get this to work?
(I'm not interested in the "work round" where you use feedburner or something similar to proxy these calls thanks).
I have looked at https://accounts.google.com/crossdomain.xml
It's the master policy file and it doesn't grant permissions to the content of accounts.google.com domain (there isn't allow-access-from nodes withing it), so flash player fires securityError
I am not sure what that means...
It means:
by-content-type: [HTTP/HTTPS only] Only policy files served with
Content-Type: text/x-cross-domain-policy are allowed
So it seems it's designed for sub-domain services and child crossdomain.xml files so you can't load data directly from accounts.google.com. I found the same issue with Google OAuth for flash Google Oauth crossdomain.xml problem with Flex and they have to use old AuthSub (it uses accounts.googleapis.com with proper crossdomain.xml) to solve the auth problem and it seem nothing were changed for the past two years.
Check the Flash player security on compile, local or external.
The AIR applications can connect to external and local files, but a embedded swf can't do it
https://www.adobe.com/security/flashplayer/articles/localcontent/
I'm getting a very annoying run time error message, which crashes my flash application when it runs in the browser. The error pertains to a 'Security Sandbox Violation' when I attempt to access Youtube's Gdata api. The exact error message reads:
Error: Request for resource at https://gdata.youtube.com/feeds/api/videos?
key=As##2PVR2#lPj#0bVaw_Tvjx1MI6qeAI1gORxErVYDzu2zZy4D18bf8T6pHxsPgIOhs3_44Te
YTVlYLx49goUPbv00udousA&q=The-Muppets-official-trailer&alt=json&max-results=1
by requestor from http://###.com/cws/f/VV.swf is denied due
to lack of policy file permissions.
*** Security Sandbox Violation ***
When I run the SWF locally, everything works fine.
Any ideas?
Thanks.
Edit: I've just added these lines, but still no luck.
Security.loadPolicyFile("http://www.mydomain.com/crossdomain.xml");
Security.loadPolicyFile("https://gdata.youtube.com/crossdomain.xml");
Security.allowDomain("https://gdata.youtube.com");
Security.allowDomain("gdata.youtube.com");
You need to specify a crossdomain.xml policy-file according to Adobe Flash security rules.
1) Place the crossdomain.xml at the root directory of your website
2) Example content (not recommended)
<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
3) Load the policy-file into your project (AS3):
System.security.loadPolicyFile("http://www.DOMAIN.net/crossdomain.xml");
Read the reference document for further information.