crossdomain.xml and Player 10

I have a series of course templates created in Flash that access their content (XML and FLV) from a different server. These were working fine with a crossdomain.xml file in place with the following code and the user having player 9:

Code:

---

<?xml version="1.0"?>
<cross-domain-policy>
    <allow-access-from domain="training.bulab.com" />
    <allow-access-from domain="memnt29.bulab.com" />
    <allow-access-from domain="memnt9.bulab.com" />
</cross-domain-policy>

---

When users upgraded to 10, there was no data coming in. The issue has to be security because we have other courses with the same structure, but their content is on the same server and there is no "Security.loadPolicyFile" call.

I tried reading the lame Adobe documentation on the security "upgrades" in 10 and the best I could do is the following:

Code:

---

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
  <site-control permitted-cross-domain-policies="master-only" />
  <allow-access-from domain="*" />
  <allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

---

This is in the root directory that contains multiple directories with files for each of the courses. This is the only crossdomain file in the main or sub-directories. The AS that accesses the file is:

Code:

---

Security.loadPolicyFile("http://ptws1.bulab.com/userfiles/portaltraining/crossdomain.xml");

---

The data is not getting through. Any help would be greatly appreciated!

More Info --
I have hacked a way to find out some of what's going on. The cross domain policy file is loading, but I'm getting a Security Error Event when the swf tries to load the XML. I am getting an Error #2048. This setup worked fine with player 9. What has changed with the player that would keep the setup from working now? What do I need to change to make this work? I'm running into deadends on all my searches.

This...should have become a problem with the 9.0.24 player...
no?

I would pull out the master-only line. And you need a copy of this crossdomain.xml on each of the servers where the data's being accessed...

Thanks for the response.

I have a user that still has 9.0.45.0 on his computer and the data is coming in just like it should. I try the same course with my version 10.0.12.36 and I get the following when the swf tries to read an XML file from the target server:
SecurityErrorEvent type="securityError" bubbles=false cancelable=false eventPhase=2 text="Error #2048"

I deleted the master-only and it didn't make any difference.

There is only one server with content - the crossdomain file is in the root and content is in individual folders under that root.

???????

This is obviously of deep concern. I haven't upgraded to FP10 yet and now I'm stressing that half a dozen of my own crossdomain apps will be broken, so whatever you find out, please post it here.
Whatever you're loading up, are you creating a LoaderContext and then specifying that as the context for the Loader?
I'm reading this and getting paranoid about other things as well...
http://www.adobe.com/devnet/flashpla...y_changes.html
Those bastards. Like 9.0.24 wasn't bad enough. Now everyone's uploads are gonna break...
Hey, also, have you tried multiple browsers? This guy:
http://www.nabble.com/SecurityError-...d20346542.html
seems to have had a similar, unsolved problem, but says it still works in Opera, and he doesn't believe it's to do with the crossdomain file at all.

Let me know what you find out!!!

Also, check the content-type on what's being served as the policy file, using firebug or something. See this article about newer, more strict procedures. I think the guy's actually talking about FP10, not 9.
http://www.thecosmonaut.com/2008/08/...-policy-files/

With the help of the server admin, got this fixed. It is ridiculously easy and should be presented that way by Adobe rather than a lengthy white paper that rambles on (like my post). The solution was to put a crossdomain.xml file in the SERVER's root directory. The file's structure is like my second example above (with site-control, allow-access-from, and allow-http-request-headers-from). I did change the "master-only" to "all". This opens the server up to be used by any external Flash files. We left the other crossdomain.xml file (with specific domains listed by each allow-access-from) in the CONTENT's root directory. This specifies what Flash files have access to the folder's content.

I had seen posts elsewhere where people had similar security issues, but couldn't do anything because the SERVER was not allowing them access to the DIRECTORIES that they previously had access to via the crossdomain.xml in that DIRECTORY. It took a server admin putting a second permissions file in the SERVER's root to allow access further down.

The easiest way to track this down is to run a http proxy debugging tool and watch where the swf is trying to load the crossdomain.xml from. Charles is a good one for this.

In regards to the documentation, it's in the flash help. See "Allowing cross-domain data loading" and "About custom policy file locations".

"Policy files must be named crossdomain.xml, and can reside either at the root directory or in another directory on the server that is serving the data with some additional ActionScript (see About custom policy file locations)."

Ben-

I am guessing the Flash Help info you quoted is either from CS3 or Player 9. Just having the crossdomain.xml file in, as the quote says "the root directory or in another directory on the server that is serving the data...", is no longer true. It MUST reside in the root directory of the entire server, not just the content directory. This is what made this whole process annoying. I had the data set up according to what you have quoted and it was working fine with Player 9. As soon as people loaded 10, the information from the Help File documentation was not relevant - Adobe had made changes with 10.

That has been in the documentation since the flash 7 player allowed cross domain policy files to be loaded. It's in the CS3 help under AS2 documentation and in the Flash 8 help, I'd check 2004 but I uninstalled it a while back.

Originally it had to be in the root of the directory till they added loadPolicyFile(). You can still have it in custom locations, I've got a flash piece now running in 10.0.12.36 working with a custom location policy file to get around some proxy domain loading required for a site where page A, sits under Doman A, but Page B on Domain B loads Page A under the context of Domain B. As well as other client work requiring crossdomain files in custom locations. We had to update them, but all works well.

The changes to the player are not necessarily about where you put the file, but about how the file is constructed. Make sure it meets all the standards and you should be able to place it where you need to and load it via loadPolicyFile().

I would suggest making sure your file is not malformed (and it looks like it is not, although it might be rejected for the DocType since it's macromedia.com) then find out what mime type the server is returning the crossdomain file as. If it is not returning the xml file as "text/*" (any type of text), "application/xml", or "application/xhtml+xml" then due to the new strict settings you will get a Error #2048.

If you download Fiddler or Charles you can see every web request coming in and out of the flash player. Look at the raw request to the crossdomain file and make sure the Content-Type is correct. You should see something like the following.

HTTP/1.1 200 OK
Content-Length: 218
Content-Type: text/xml
Last-Modified: Fri, 19 Sep 2008 22:05:40 GMT
Accept-Ranges: bytes
ETag: "0123adaa31ac91:e3f"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 25 Nov 2008 23:34:05 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*.subdomain.domain.com" />
<allow-access-from domain="myintranet" />
</cross-domain-policy>

Policy file we are using on this site is nothing special, I changed the names.

Your not doing anything special that requires you to add the headers tag in, although I guess it doesn't hurt. If you were dealing with SOAP or with a server side language you'd need the headers.


Edit: Your xml will not validate by the way, you need to change the dtd url to adobe.com.
An exception occurred! Type:NetAccessorException, Message:Could not open file: http://www.macromedia.com/xml/dtds/c...ain-policy.dtd[xml]

To followup on this as I realized the swf I was looking at was AS2 based running in FP 10 and had forgotten how we initially set it up for AS3.

For AS3 to be able to load a custom policy file from a location other than the root of the server requires that there is a policy file at the root of the server defining what type of cross domain policy files it will allow. It does not need to define what url's are allowed here, you can do that in your custom policy file location to restrict certain directories on the server differently.

Example:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all" />
</cross-domain-policy>

The reason for this is the first thing the flash player is going to do is look for this cross domain file to find out what the server allows. After that, assuming the permitted-cross-domain-policies gives you access, then you can load custom locations if needed. Diagram here (http://www.adobe.com/devnet/articles.../popup_01.html)

permitted-cross-domain-policies options : (http://www.adobe.com/devnet/articles...l#site-control)

Once your server administrator has setup what they are going to allow in regards to cross domain policy file (permitted-cross-domain-policies) that will determine what you can do. The location of your custom policy file is going to be for that directory and all it's sub directories. You can not load files from a parent directory unless a policy file exists there also.


Example you say? Sure!
If you would like, you can build a little application that loads the following xml file off my site if you'd like:

Custom Policy File: http://www.benschmidtke.com/download...rossdomain.xml
Remote XML File: http://www.benschmidtke.com/download...latestnews.xml


CrossDomain.xml at the root of the domain defining types of policy files allowed:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all" />
</cross-domain-policy>

CrossDomain.XML file at a specified location on the server defining domain access for this directory and sub-directories:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

And then in AS3:
Security.loadPolicyFile("http://www.benschmidtke.com/downloads/images/crossdomain.xml");


Here is an example of a swf sitting on some domain loading a custom policy file, a rss xml file and a image from a remote domain.


# Result Protocol Host URL Body Caching Content-Type Process User-defined
0 401 HTTP fakedomain.com /digital/crossdomainas3/crossdomaintest.html 1,656 text/html iexplore:1640
1 401 HTTP fakedomain.com /digital/crossdomainas3/crossdomaintest.html 1,539 text/html iexplore:1640
2 200 HTTP fakedomain.com /digital/crossdomainas3/crossdomaintest.html 2,065 text/html iexplore:1640
3 200 HTTP fakedomain.com /digital/crossdomainas3/AC_RunActiveContent.js 8,321 application/x-javascript iexplore:1640
4 200 HTTP fakedomain.com /digital/crossdomainas3/CrossDomainTest.swf 23,108 application/x-shockwave-flash iexplore:1640
5 200 HTTP www.benschmidtke.com /downloads/crossdomain_example/crossdomain.xml 200 text/xml iexplore:1640
6 200 HTTP www.benschmidtke.com /crossdomain.xml 222 text/xml iexplore:1640
7 200 HTTP www.benschmidtke.com /downloads/crossdomain_example/latestnews.xml 15,638 text/xml iexplore:1640
8 200 HTTP www.benschmidtke.com /downloads/crossdomain_example/calming_baby.jpg 39,370 image/jpeg iexplore:1640

http://www.benschmidtke.com/download...le/example.jpg

For the sake of clarity, the crossdomain file and/or meta file does not reside at the absolute server root. It resides at the public web root for that domain. i.e. at /home/username/public_html on a default CentOS box for example.
In other words, at www.mydomain.com/crossdomain.xml ...this should never be a problem if you have control over the domain. You don't need control over the whole server.

Hi
I got the same problem as mentioned above but the solution you gave (or should I say : what I understood of your solution) didn't solve it.

I have a Flash application (as2) that run on a server at :
http://ns204979.ovh.net/~configur/ (that is the "real" adress of the serveur)

And I have a domain associated to this serveur : www.configurateur-arc.com
As far as I understood, this association has been made by an "alias" on the server (or something like that) so that the calls to amfphp services from this adress needed a crossdomain.xml file.

As I don't have access to the server root folder (http://ns204979.ovh.net)
I had to put the crossdomain.xml in the www content folder and use the instruction :
System.security.loadPolicyFile("http://ns204979.ovh.net/~configur/crossdomain.xml");


It works well with player 9 but fail with player 10

The crossdomain.xml content is :

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all" />
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

And the access to the file seams right :
the server response shows no error and the content-type seam to be ok :

Date Tue, 23 Dec 2008 23:30:27 GMT
Server Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.8g
Last-Modified Wed, 17 Dec 2008 13:30:38 GMT
Etag "34e040c-d1-14df3b80"
Accept-Ranges bytes
Vary Accept-Encoding,User-Agent
Content-Encoding gzip
Content-Length 156
Keep-Alive timeout=15, max=97
Connection Keep-Alive
Content-Type application/xml

So ?
Did I miss something in your explanations ?
Do any thing cause the xml to be malformed ?
Or is my case different from yours ?

Any idea welcome

Thanks

Remaye

I am not sure you guys have been reading this article, since it covers Flash 10.

http://www.adobe.com/devnet/flashpla..._security.html

Thanks for your answer.
In fact, I already "tried" to read this article, but it covers to many points I don't realy understand and it didn't help me to figure out what is wrong in my crossdomain.xml.
I mean, it's not lazzyness; it's just that the crossdomain issue became to complicated with flash player 10 and I reached my limits !
But the problem is still here and I just hoped somebody could tell me where it was wrong and how to fix it ... ?
Ok, guys, maybe the solution is not so simple ...
Thanks anyway.
Remaye

hi buddy,

i have the same problem.. i couln't fix it. could you pls help me??

i have the content in the path mentioned below

http://www.abc.com/xx/xx/xx/xx/ideaGraph.xml

i have placed the cross domain in

http://www.abc.com/xx/crossdomain.xml

xml content:

<?xml version="1.0"?>
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"/>
<allow-access-from domain="*.abc.com"/>
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

scritp used to load:

System.security.loadPolicyFile("http://www.abc.com/xx/crossdomain.xml");

var xmlpath = "http://www.abc.com/xx/xx/xx/xx/ideaGraph.xml";


please help me to sort this.. i am in a great trouble :-(

I am trying to pull information from http://www.ecb.int/stats/eurofxref/eurofxref-daily.xml to get currency rates. It is becoming very frustrating after reading through all of Adobes flash player 10 security documentations. Do I need a policy file on my server as well as gather a policy file from the site I am pulling data from, or does it just need to read my policy file on my server?