Security Sandbox Violation with Youtube API - actionscript-3

I'm getting a very annoying run time error message, which crashes my flash application when it runs in the browser. The error pertains to a 'Security Sandbox Violation' when I attempt to access Youtube's Gdata api. The exact error message reads:
Error: Request for resource at https://gdata.youtube.com/feeds/api/videos?
key=As##2PVR2#lPj#0bVaw_Tvjx1MI6qeAI1gORxErVYDzu2zZy4D18bf8T6pHxsPgIOhs3_44Te
YTVlYLx49goUPbv00udousA&q=The-Muppets-official-trailer&alt=json&max-results=1
by requestor from http://###.com/cws/f/VV.swf is denied due
to lack of policy file permissions.
*** Security Sandbox Violation ***
When I run the SWF locally, everything works fine.
Any ideas?
Thanks.
Edit: I've just added these lines, but still no luck.
Security.loadPolicyFile("http://www.mydomain.com/crossdomain.xml");
Security.loadPolicyFile("https://gdata.youtube.com/crossdomain.xml");
Security.allowDomain("https://gdata.youtube.com");
Security.allowDomain("gdata.youtube.com");

You need to specify a crossdomain.xml policy-file according to Adobe Flash security rules.
1) Place the crossdomain.xml at the root directory of your website
2) Example content (not recommended)
<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
3) Load the policy-file into your project (AS3):
System.security.loadPolicyFile("http://www.DOMAIN.net/crossdomain.xml");
Read the reference document for further information.

Related

YouTUBE API for Flash not working

We have a browser flash application which loads the YouTube Embedded AS3 Player to play some YouTube videos (https://developers.google.com/youtube/flash_api_reference)
Yes I know the Flash API is deprecated, Flash is dying, etc. but it is currently the only practical platform for our complex 3D graphic authoring tool, which just as one feature plays YouTube videos; and it would be crazy to force our customers to host their videos on Vimeo to answer this problem.
Everything has been working fine so far (no changes in code or server), until 2 weeks ago, where we were not able to play YouTube videos from the app.
I found that the url format we were using so far was giving a file not found error:
http://www.youtube.com/v/<my video code>?version=3&autoplay=1
After investigating a bit, it seems that Google updated their API Services terms of service.
So following some directions in their page, I changed http to https:
https://www.youtube.com/v/<my video code>?version=3&autoplay=1
When my app tries to load the YouTube player using that url, the Event.COMPLETE event is fired and the player data seems to be loaded fine, but in this part where the YouTube player is assigned to a var:
private function onLoaderComplete(e:Event):void {
var player = e.currentTarget.content;
....
}
It throws the following error:
*** Security Sandbox Violation ***
SecurityDomain http://<my app url> tried to access incompatible context 'https://www.youtube.com/v/<my video code>?version=3&autoplay=1'
SecurityError: Error #2121: Security sandbox violation: LoaderInfo.content: http://<my app url> cannot access https://www.youtube.com/v/<my video code>?version=3&autoplay=1. This may be worked around by calling Security.allowDomain.
I have set all the Security.allowDomain and Security.allowInsecureDomain I can think of (*.youtube.com, *.ytimg.com, https ://www.youtube.com, https://s.ytimg.com, etc. and any variation of http and https I can think of). So I don't think this is the problem.
I tried the solution in this thread, where it recommends to use this line to solve Error #2121:
loaderContext.securityDomain = SecurityDomain.currentDomain;
Now it doesn't even fire the Event.COMPLETE event. Only a SecurityErrorEvent.SECURITY_ERROR event, so no content is loaded:
*** Security Sandbox Violation ***
Connection to https://www.youtube.com/v/<my video code>?version=3&autoplay=1 halted - not permitted from http://<my app url>
httpStatus (error): [HTTPStatusEvent type="httpStatus" bubbles=false cancelable=false eventPhase=2 status=0 redirected=true responseURL=null]
SecurityError:
[SecurityErrorEvent type="securityError" bubbles=false cancelable=false eventPhase=2 text="Error #2048: Security sandbox violation: http://<my app url> cannot load data from https://www.youtube.com/v/<my video code>?version=3&autoplay=1."]
So I think this is a step backwards.
I thought it may be an HTTP to HTTPS issue, but on the other hand, loading the YouTube Chromeless AS3 player API directly (without play/stop and time line controls), works fine:
https://www.youtube.com/apiplayer?version=3&video_id=<my video code>
Any useful hint will be appreciated.
You got the error Security Sandbox Violation because you are trying to access a web/server file from a local file on your computer which Adobe security does not like. Check out this link
Found also this thread which states that this can happen when the sandbox is configured to be used one way, but is being used in another way by mistake.
Check these related links:
Security Sandbox Violation with Youtube API
Security Sandbox Violation Flash AS3
I ran into the same problem. It seems that Youtube now has a more restricted version of the crossdomain.xml (https://www.youtube.com/crossdomain.xml):
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="s.ytimg.com" />
whereas it should be
<allow-access-from domain="*" />

403 Forbidden only when accessing via IP

I'm having a really strange issue. I'm embedding a video player via an object tag. If I go to the page via the server url (ex. 127.0.0.1/stream.html rather than localhost/stream.html), the page does load, but stays at a white screen. Using the web developer tool in FireFox, the console shows a 403: Forbidden Error when grabbing the SWF player. When I use the hostname, there is no issue.
Do you have a cross-domain.xml set in your development environment? Meaning is the SWF player hard-coded to embed from localhost/path/to/player.swf, so it would load from the same hostname of localhost but chokes with 127.0.0.1. Read more on this site.
You could attempt to fix this by setting this file at the root of your localhost document root in a file name cross-domain.xml:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

My swf file in my web server can not load json file from another server

I have a swf file in the root of my server named MyREOPS.swf . And there is "index.html" in the root which embeds this swf. MyREOPS.swf in the server loads the link a json file from an xml, which is also in the same server. Then my swf file, loads the json file, using this link it retrieved from the xml. So, here is my questions and problems :
Problems :
When I run swf in my local pc, it loads this json file from external domain url without problem, provided that the folder which contains the swf has permission ( I gave permission through http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager04.html ). However, when I run the MyREOPS.swf in the webserver through browser, i get this error :
Error #2044: Unhandled securityError:. text=Error #2048: Security sandbox violation: http://www.3facts-engineering.com/MyREOPS.swf cannot load data from http://api.video.mail.ru/videos/mail/kulukamuluka/1/19.json.
Weird thing is the swf file was able to read the xml in the web server. I can understand this ,because it was actually able to see this link : "http://api.video.mail.ru/videos/mail/kulukamuluka/1/19.json". This was ONLY in that xml.
Aren't swf files, downloaded through browser to user's pc, then executed ? How is it possible for that swf to read the xml in the server. I mean that is what I would like it to do. But it feels like it is impossible for that swf to reach that xml while it run in my pc, because the url of xml in swf is given as relative such as "config.xml" .
I hope I was able to express myself throughly. Thank you in advance.
This is a security feature implemented by the Flash runtime.
Cross-domain policy for Flash movies
For security reasons, a Macromedia Flash movie playing in a web
browser is not allowed to access data that resides outside the exact
web domain from which the SWF originated.
When you run locally, your SWF is executing in Flash Projector; therefore, operates differently than when embedded from your site.
On the site you wish to connect, create a crossdomain.xml file, as in:
http://example.com/crossdomain.xml
Within that crossdomain.xml, add parameters, such as:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*" />
<allow-access-from domain="*" to-ports="80,443"/>
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>

Error message appear in a old running flash application during AMFPHP call

My app was working fine until today. The probleme is that each request to amfphp return an error message like :
Client.Error.Message Send
Fail to send
In fact, this message is the fault function I put in the caller.
<s:CallResponder id="tracefilm"/>
<trace:Trace id="traceFilm" fault="Alert.show(event.fault.faultString + '\n' + event.fault.faultDetail)" result="traceMaked(event)" showBusyCursor="true"/>
Because I don't know how to find where the problem is... I'll try to view what happens thanks to firebug plugin of FF during execution time.
The solution is simple. I've just fixed this issue in a old streaming app (100% flash).
If you encountered the problem in a old app, you propably don't have the crossdomain.xml file in the root directory of the web server. See Adobe explanation for more details.
I found the solution thanks to firebug. In fact, during Flash loading, the browser tried to access to a file called crossdomain.xml. Of course, the server response was 404 for my part...
You just have to create crossdomain.xml in the server, and to add this piece of code inside :
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
Now your application, like mine will works again.

Error Handling issues

Error #2044: Unhandled securityError:. text=Error #2048: Security sandbox violation:
I don't get this error on my local host but I do when I upload it to my server. How
do I properly fix this in Flash CS4?
Check where you are pointing to for any external assets or data. More than likely you need a crossdomain.xml file that will say that it is okay for your server to access the data. To be clear, you need the crossdomain file where the assets are that you are pulling.
More information here: http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html
An example of a wide open crossdomain.xml file:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
You can specify a domain where the * is and list multiple allow-access-from nodes. You can also specify all subdomains on a domain by saying *.mydomain.com
To be clear, you do not want to go to production with the wide open example I have given, but it is something you can use to test out and make sure this is your problem. Once you verify this then you can restrict it to the appropriate levels.
Basically though you just create a file called crossdomain.xml and put this xml in it.
Make sure it is placed at the root of the server that the data or assets are being pulled from.