(ActionScript3) Hi, I'm trying to work out why a URLRequest is failing when viewed via a third party website. Ideally any error could be pointed out in the below code, however, I think it's fine as similar things we do work fine.
Next to ideal would be URLRequest error handling, how can I find out WHY the URLRequest is not pulling the information from time.php? Even if it's just output to a textbox on the timeline (everything works fine when done from the testing environment)
Many thanks
Craig
Scenario:
domain.com (Server 1): file.swf uses a URLRequest to load domain.com/time.php?a=b (so the PHP and the SWF are both hosted on the same domain and server)
example.com (Server 2): PHP page embedding file.swf (which in turn URLRequests time.php)
Outcomes:
When you access file.swf directly via browser, it loads the data from time.php just fine
When you view the page file.swf is embedded on, on Server 2 the loading fails
file.swf
var loaderNameHolder;
var loaderNameHolderLoader:URLLoader = new URLLoader();
var loaderNameHolderURLRqst:URLRequest = new URLRequest('http://domain.com/time.php?a=b');
loaderNameHolderLoader.addEventListener(Event.COMPLETE, loaderNameHolderURLFunc);
loaderNameHolderLoader.load(loaderNameHolderURLRqst);
function loaderNameHolderURLFunc(e:Event):void{
loaderNameHolder = loaderNameHolderLoader.data
gotoAndStop(loaderNameHolder);
}
Security
There is a crossdomain XML in place on the domain's root folder, it seems to make no difference (or is not being referenced/used correctly) however as mentioned similar things I do work fine without modifying this XML
It sounds like a security issue, although you say that you have the crossdomain file in place.
Have you checked the http calls with a tool like Charles (http://www.charlesproxy.com/)? This is definitely the best way to debug such a problem.
Thanks for the tips above, they'll be great resources to keep.
The actual issue was that the Requested URL didn't include "www" (I think because the SWF is embedded with the WWW so it was coming from an "outside" domain. I think I need www.domain.com in my own security XML).
Craig
try adding this code
Security.allowDomain("*");
Security.loadPolicyFile("http://domain.com/crossdomain.xml");
and read about crossdomain.xml using links given here: https://stackoverflow.com/a/9728845/2234089
Related
Can anyone please describe what is the flash pipeline when looking for crossdomain.xml file?
I am sometimes receive SECURITY_ERROR (#2700) from flash.
Trying to find the issue, I'd like to understand better the crossdomain loading pipeline.
I mean, Does it looks first in cached files in my browser? What does it do when going to server?
For example, I thought about such solution:
I'll put the link resources into html page Head section to download crossdomain before I am loading my flash object
In case of failure - I'll try to handle this from JS and notify server (somehow, not the issue)
But if the file was downloaded during html page loading - does it ensure me that flash will be able to load it? (may be from cached documents?)
I am completely-unfamiliar with this domain, so any help will be more than appreciated!
I have crawled the web quite a lot these days, but couldn't get any accurate information on how crossdomain.xml files behave in case of 302 redirects; especially with the sandboxes having changed significantly over the last versions!
I am relatively new to flash... so any advice is more than appreciated!
I have been working on a project lately that uses audio streams with some sort of CDN distribution! what happens is that a common url is triggered, and then the user is dynamically redirected to the next best server available. In my case, i have no access at the server side of things (at least not anytime soon). And the only path providing an appropriate crossdomain.xml is the one performing the redirect. All the other dynamic paths provide exclusively content!
http://resource.domain.com (valid crossdomain.xml)
302 => http://dyn1.domain.com/...
302 => http://dyn2.domain.com/...
302 => http://dyn3.domain.com/...
I noticed that flash doesn't care much if i try to load the audio stream with something like...
var req :URLRequest = new URLRequest("http://resource.domain.com");
var sound :Sound = new Sound(req); // ie. effectively playing http://dyn3.domain.com
sound.play();
It gets both redirecting, and streaming done well! and doesn't bother for any crossdomain file and starts playing!
Although when i try something different, like setting up some custom headers to the request and loading the file with URLStream instead, everything gets messy! Well, the redirect gets done, as expected but all of a sudden i need another crossdomain file in the redirected location!
Is there any explanation to whats happening and eventually ways to resolve this?!
Thanks for your time!
It comes as a site question : i noticed everything to work flawlessly while being in the local-trusted sandbox and errors happening mainly if not exclusively in the remote sandbox. is it possible that the local-trusted sandbox doesn't care about crossdomain policy files at all!?
Summary
Add crossdomain.xml to each CDN host or adopt to limited Sound functionality.
Details
SWF files that are assigned to the local-trusted sandbox can interact with any other SWF files and can load data from anywhere (remote or local).
Sound can load stuff from other domains that don't allow access using cross-domain policy with certain restrictions:
Certain operations dealing with sound are restricted. The data in a
loaded sound cannot be accessed by a file in a different domain unless
you implement a cross-domain policy file. Sound-related APIs that fall
under this restriction are Sound.id3, SoundMixer.computeSpectrum(),
SoundMixer.bufferTime, and the SoundTransform class.
Flash in general has pretty complex cross-domain policies but in your case the bottom line is that you'll need to have proper crossdmain.xml on each host except the one that serves the SWF:
3.1. If your file is served from http://resource.domain.com it's not required to have http://resource.domain.com/crossdomain.xml but it's really good to have one.
3.2. You will need to have proper http://dyn2.domain.com/crossdomain.xml explicitly allowing your SWF to access dyn2.domain.com to be able to use URLLoader and other APIs that provide access to raw loaded data.
3.3. There's a reason for these restrictions - cookies (and other ambient user credentials). If Flash would not require proper cross-domains after a redirect, one could access any domain with user cookies attached by simply loading his own redirector first. This means accessing all user cookie-protected data (e.g. mail.google.com) from any SWF on the internet that's running in your browser.
I am trying to play story_html5.html video from Amazon Cloud fount in a IFrame, "story.html" is working fine in Iframe, but when use story_html5.html, it gives error.
Unsafe JavaScript attempt to access frame with URL "URL1" from frame with URL "URL2". Domains, protocols and ports must match.
Please let me know about the solution.
Thanks,
Laxmilal Menaria
I believe the html5 version of the file may be called once the code determines it's needed. Based on this, your personal code may look like it's trying to hijack the process and causing the exception. W/out the exact code you're working with though, it's hard to say. This is just based on my pulling apart some of the files a while back.
Two important points.
1 - SWF must have ability to loading binary data from any domain.
2 - SWF cant load policy XML file from url, cause upload form allows me only to upload swf files, so I cant include any other data.
I tried:
Security.allowDomain("*");
But it works only for SWF files.
I tried to embed policy XML file:
var dataXML:XML =
<?xml version="1.0"?>
<!-- http://www.foo.com/crossdomain.xml -->
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>;
But Security.loadPolicyFile(url:String) allows only to set file url, not data.
So my question is, how can I allow SWF to load binary files from different domains without having any additional file?
URLLoader code:
var request:URLRequest = new URLRequest("http://differentdomain.com/binaryfile.dat");
var words:URLLoader = new URLLoader();
words.dataFormat = URLLoaderDataFormat.BINARY;
words.addEventListener(Event.COMPLETE, prepareFile);
words.addEventListener(IOErrorEvent.IO_ERROR, loadError);
words.addEventListener(SecurityErrorEvent.SECURITY_ERROR, secureError);
words.load(request);
This will make an security error, if file is from different domain than SWF file.
Thanks for any help.
Its possible to get binary data from JavaScript using ExternatInterface in AS3 code.
Here is cross-browser library for reading files binary: binary reader and later version jDataView
Hope this will help someone.
Thanks to Jonatan Hedborg for idea.
You should read this before : http://kb2.adobe.com/cps/142/tn_14213.html
And you can use a proxy script, search on google/stackoverflow you'll find a lot of answers...
Take a look at this: http://wonderfl.net/c/gJXA
Some trick which works with any binary data from any domain, without need to use ajax or own proxy script (sometimes you dont have possibility to upload php scripts).
Flash is control that most commonly used by HTML pages. As result it needs to follow security restrictions places on other (i.e. JavaScript) objects on the same page.
Web pages use same origin security policy - objects on a page can't read data from domains different from domain of the current page.
There are cases when servers for other domains allow such access. I.e. in Flash case it is crossdomain.xml, similar policy file exist for Silverlight, there are several ways to handle it for JavaScript including JSONP.
Incorrect usage of ways to bypass same origin policy leads to cross-site scripting issues on your site/page that host your control which often leads to leaking personal information.
I had to tackle a similar problem a while ago and managed to make use of UrlStream to load the target SWF's bytes at runtime.
gist: https://gist.github.com/1988661
Really puzzled by the flaky behavior of LocalConnection.
Using a debug utility(LuminicBox) that uses localConnection to work.
When the page containing the swf is loaded in a browser locally , localConnection works.
When the identical page and swf are viewed 'live' on a remote site, localConnection fails.
Anyone encounter this??
By default LocalConnection allows communication between swfs loaded from the same domain. When you're loading the swf in the browser, the debug utility also has to be loaded in the browser from the same domain.
You can get LocalConnection to work across domains but it requires more configuration. Here's a link to Flex's docs on the subject. This issue is the same for Flash/Flex.
http://livedocs.adobe.com/flex/3/langref/flash/net/LocalConnection.html
I haven't used LuminicBox, but if you have access to the code that initializes the receiving LocalConnection object, call allowDomain("your.domain") on that object.
var lc:LocalConnection = new LocalConnection()
lc.allowDomain("your.domain.com");
//or even better - allow all domains
lc.allowDomain("*");
If the receiving SWF is hosted on an HTTPS page and the sender on a normal page, you need to call allowInsecureDomain.
lc.allowInsecureDomain("your.domain.com");
I think part of the problem is that I DON"T have access to the code that initializes the receiving LocalConnection object, just the sending LC (my application).
I would assume though, that the author of the debug utility would have definitely used lc.allowDomain("*"); Will check further.
The only other cause I am aware of is having an existing LC connection already open, when you try and open a new one.