I implemented a gSoap c++ webservice-server to be accessed by Flash (as3) Everything runs smooth as long as i test the .swf locally, the .wsdl is loaded fine, and the communication works, even with the server running on an external ip already.
But the moment i put that .swf online - its coming up with sandbox security violations crying about the standard - schemas like that:
Error: [strict] Ignoring policy file at http://schemas.xmlsoap.org/crossdomain.xml
due to incorrect syntax. See http://www.adobe.com/go/strict_policy_files to fix this
problem.
*** Security Sandbox Violation ***
Connection to http://schemas.xmlsoap.org/soap/encoding/ halted - not permitted from
http://mydomain.com/main.swf
Error: Request for resource at http://schemas.xmlsoap.org/soap/encoding/ by requestor
from http://mydomain.com/main.swf is denied due to lack of policy file
permissions.
Can somebody help me with that problem ?
Or is there maybe a good way to define one simple webservice-method (like stringResult =
command (stringSessionId, stringCommand, stringParams, stringResult)) without loading the
.wsdl - file ? If i had that possibility i wouldnt have to stumble about that sandbox -
stuff.
Any help appreciated.
Crossdomain policy file is absent. It should be at this location. You are able to load 'wsdl' from your local machine, because your sandbox is local trusted (i.e. most convenient sandbox). So currently I can't see any way to accomplish this in flash unless there is crossdomain policy file at the desired location.
But you can try Server Side Proxy Method for loading the wsdl.
Flash doesn't allow loading content from domains other than the one where your SWF is hosted unless those domains allow you to do it. Remote domains can choose to allow SWFs in your domain to load content from them using a crossdomain.xml policy file hosted at their web root.
Here are some sample policy files : YouTube, Twitter. Check the Adobe link on policy files to know more.
The error message "ignoring due to incorrect syntax" indicates that the policy file is present there but not well formed or has some syntax errors. But I cannot find anything at http://schemas.xmlsoap.org/crossdomain.xml.
Where is your web service hosted? What are you trying to load from http://schemas.xmlsoap.org/soap/encoding/?
Thanks for the comments. The real problem here is, that the gSoap - generated wsdl - file tries to "access" these domains all over the place, so that crossdomain - stuff is out of my hands. Anyway i solved the issue now by writing the wsdl by hand without all that wsdl gsoap mega bloating, so its just accessing the w3c.* domains and they ARE obviously crossdomained
right.
Related
I have json files in one of my containers in Azure Blob Storage.
For some reason last week I could download these files as a data source into Power BI Desktop and today I keep getting errors even though nothing changed (as far as I know, I am new to this).
This is the error I get:
An error occurred in the ‘Sample File’ query. DataSource.Error: AzureBlobs failed to get contents from 'https://smartplugdata.blob.core.windows.net/democontainer/'. Status code: 407, description: 'Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )'.
Details:
DataSourceKind=AzureBlobs
DataSourcePath=https://smartplugdata.blob.core.windows.net/democontainer
Url=https://smartplugdata.blob.core.windows.net/democontainer/
I don't understand what the problem is. Sometimes I can access the files but then I cannot access the content of the files. Other times I can't even access the files. Thanks.
Forefront TMG is security software installed on your network. Something in its policies is blocking the request that you are trying to send to Azure. Talking to your local admin should help you figure out which rule is causing the software to block the request and resolve it.
I want to create image from my canvas, I'm using kineticjs, but I get error: "Kinetic warning: Unable to get data URL. Failed to execute 'toDataURL' on 'HTMLCanvasElement': Tainted canvases may not be exported." I suppose, that it's caused by cross-origin error. In canvas I use localy saved images and address path starts with "file://..". Is there any solution how to create image without apache installing? Thanks.
Your local hard drive is deemed to be "other domain" by browsers and will taint Canvas.
That's a good thing! You don't want malicious code to get at stuff on your personal drive.
Some workarounds:
Install a web server on your computer.
Put your image(s) and all files associated with your web app on the desktop (this may/may not help depending on where you got the images to begin with).
Temporarily host your images on a site that allows anonymous cross-origin access to your images.
I have crawled the web quite a lot these days, but couldn't get any accurate information on how crossdomain.xml files behave in case of 302 redirects; especially with the sandboxes having changed significantly over the last versions!
I am relatively new to flash... so any advice is more than appreciated!
I have been working on a project lately that uses audio streams with some sort of CDN distribution! what happens is that a common url is triggered, and then the user is dynamically redirected to the next best server available. In my case, i have no access at the server side of things (at least not anytime soon). And the only path providing an appropriate crossdomain.xml is the one performing the redirect. All the other dynamic paths provide exclusively content!
http://resource.domain.com (valid crossdomain.xml)
302 => http://dyn1.domain.com/...
302 => http://dyn2.domain.com/...
302 => http://dyn3.domain.com/...
I noticed that flash doesn't care much if i try to load the audio stream with something like...
var req :URLRequest = new URLRequest("http://resource.domain.com");
var sound :Sound = new Sound(req); // ie. effectively playing http://dyn3.domain.com
sound.play();
It gets both redirecting, and streaming done well! and doesn't bother for any crossdomain file and starts playing!
Although when i try something different, like setting up some custom headers to the request and loading the file with URLStream instead, everything gets messy! Well, the redirect gets done, as expected but all of a sudden i need another crossdomain file in the redirected location!
Is there any explanation to whats happening and eventually ways to resolve this?!
Thanks for your time!
It comes as a site question : i noticed everything to work flawlessly while being in the local-trusted sandbox and errors happening mainly if not exclusively in the remote sandbox. is it possible that the local-trusted sandbox doesn't care about crossdomain policy files at all!?
Summary
Add crossdomain.xml to each CDN host or adopt to limited Sound functionality.
Details
SWF files that are assigned to the local-trusted sandbox can interact with any other SWF files and can load data from anywhere (remote or local).
Sound can load stuff from other domains that don't allow access using cross-domain policy with certain restrictions:
Certain operations dealing with sound are restricted. The data in a
loaded sound cannot be accessed by a file in a different domain unless
you implement a cross-domain policy file. Sound-related APIs that fall
under this restriction are Sound.id3, SoundMixer.computeSpectrum(),
SoundMixer.bufferTime, and the SoundTransform class.
Flash in general has pretty complex cross-domain policies but in your case the bottom line is that you'll need to have proper crossdmain.xml on each host except the one that serves the SWF:
3.1. If your file is served from http://resource.domain.com it's not required to have http://resource.domain.com/crossdomain.xml but it's really good to have one.
3.2. You will need to have proper http://dyn2.domain.com/crossdomain.xml explicitly allowing your SWF to access dyn2.domain.com to be able to use URLLoader and other APIs that provide access to raw loaded data.
3.3. There's a reason for these restrictions - cookies (and other ambient user credentials). If Flash would not require proper cross-domains after a redirect, one could access any domain with user cookies attached by simply loading his own redirector first. This means accessing all user cookie-protected data (e.g. mail.google.com) from any SWF on the internet that's running in your browser.
I have a web app that stores videos. I am using a java servlet (over https) which verifies a username and password. Once the details are verified, i redirect the user to a video stored in AWS S3. For those who don't know how S3 works, its just a web service that stores objects (basically think of it as storing files). It also uses https. Now obviously to make this work, the s3 object (file) is public. I've given it a random name full of numbers and letters.
So the servlet basically looks like this:
void doGet(request, response){
if (authenticateUser(request.getParameter("Username"), request.getParameter("Password")){
response.sendRedirect("https://s3.amazonaws.com/myBucket/xyz1234567.mp4");
}
}
This is obviously simplified but it gets the point across. Are there any very obvious security flaws here? The video tag will obviously have a source of something like https://www.mysite.com/getVideo?Username="Me"&Password="randomletters". At first blush it seems like it should be as secure as anything else assuming i give the file names sitting at AWS s3 sufficiently random names?
The obvious security flaw is that anybody could detect which URL the authentication servlet redirects to, and share this URL with all his friends, thus allowing anyone to access the resource directly, without going through the euthentication servlet.
Unfortunately, I don't know S3 at all, so I can't recommend any fix to the security problem.
All this mechanism does is provide a very limited obfuscation - using developer tools in most modern browsers (or a proxy such as Fiddler) a user will be able to watch the URL of the video that's being loaded and, if it's in a Public S3 bucket, then simply share the link.
With S3 your only real solution would be to secure the bucket and then either require that the user is logging in or use the temporary tokens for access [http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html] ... though this does complicate your solution
I would also mention that including the password and username in plaintext on the link to the video asset (from the question above) is very insecure
we have a small flash component on our website/application to upload multiple files.
This works fine, however we want to get the Content-Type from the headers and its always set to 'application/octet-stream'. From what I've learned this is due to a security of flash sandbox and FileUpLoad will never give this to us.
Is there any other way we could do this in flash (aside from creating an html/ajax multi file upload)?
many thanks
We have had a simlar problem when uploading from a browser. What is sent in the content type is dependent upon the browser and what is installed on the client machine. If it is an extension that the client machine does not recognise it will come back as application/octet-stream.
What we ended up doing was creating mapping functionality from the file extension to the content type. That way we could ensure consistency.