Dawn, I can't tell if you (or others) saw my original note in reply to your question, offered Thursday when you sent the note. My first point was, "You should confirm first that that file is indeed being requested on the server." I also indicated how to check that, and made the similar suggestion to Doug that a client proxy tool could have helped if it wasn't obvious just from your attempting a browser request for the file (which was another suggestion I'd made).
I'm just saying all this as much to make sure that others realize that this challenge with the crossdomain.xml files isn't quite that unique. It's not what most tend to think of first, but it's always worth ruling out first. :-) /charlie From: [email protected] [mailto:[email protected]] On Behalf Of Dawn Hoagland Sent: Friday, March 26, 2010 6:17 PM To: [email protected] Subject: Re: [ACFUG Discuss] Flex, Flash Security and crossdomain.xml Just thought I'd update. After lots of digging - and tracing Flash player debug info - it turns out it's a completely different issue (after a fashion). The SWF is loading correctly, but the URL to "https://dev.company1.org/flex2gateway/'" isn't visible externally. So, indeed it couldn't load the gateway config. There was still a sandbox violation occurring because the REMOTE was trying to go to a different server - and that had to be resolved before the true issue hit me on the head - but part of the reason I couldn't get it to work is that both issues threw the exact same error message in the Flash player. It wasn't until I traced it that I noticed something was slightly different with the crossdomain.xml properly set. This opens a completely different can of worms concerning what's wrong, how to fix it and implications of how some of these apps are/will be deployed. For future reference, if you include "allow-http-request-headers-from" in your crossdomain.xml file, you need to use domain names. If you remove that property (just setting the "allow-access-from"), setting domain="*" works and gives you a good start for troubleshooting..... Thanks for pointing me in the right direction! Dawn On Thu, Mar 25, 2010 at 3:21 PM, Dawn Hoagland <[email protected]> wrote: I absolutely agree with all of you. We'll get it locked up tight - once we get it working. I don't have direct access to the server so I'm working with several people resolving the issue. I'll post back once we get it fixed with the resolution (it may help someone else having the same issue). Thanks again! Dawn On Thu, Mar 25, 2010 at 2:18 PM, Douglas Knudsen <[email protected]> wrote: couldn't agree more with Dean here, lock that thing up. http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html This is a good ref on the topic. Also, I'd get Service Capture and verify that your SWF is indeed loading the proper crossdomain.xml file as well as other traffic. Douglas Knudsen [email protected] On Mar 25, 2010, at 11:41 AM, Dean H. Saxe wrote: FYI, opening up the cross domain policy to all sites is doubleplusungood. (Sorry for the 1984 reference!) Lock it down to the specific sites which need cross domain access, no more. -dhs -- Dean H. Saxe "A true conservationist is a person who knows that the world is not given by his fathers, but borrowed from his children." -- John James Audubon On Thu, Mar 25, 2010 at 7:39 AM, Robert Lash <[email protected]> wrote: Have you tested this with one domain or a static domain address? You might want to try that first to isolate the issues. I actually never got a crossdomain policy to work with the "*" all settings but was successful with static domain names. Robert Lash On Wed, Mar 24, 2010 at 4:05 PM, Dawn Hoagland <[email protected]> wrote: Background: We are running ColdFusion8 in a multi-server configuration under IIS. We have an application where we are attempting to allow our customer access through a proxy server. The domain of our internal server (for discussion sake) is dev.company1.org. The domain they are coming from is test.company2.com. We receive the following error: Channel.Security.Error error Error #2048: Security sandbox violation: https://test.company2.com/system/app/bin/index.swf cannot load data from https://dev.company1.org/flex2gateway/. url: 'https://dev.company1.org/flex2gateway/' All of my searches point to needing to add a crossdomain.xml policy file. I've created one (see below) that should allow any connection and placed it at the web root. Am I missing something completely? ----- begin crossdomain.xml ----- <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd";> <cross-domain-policy> <allow-access-from domain="*" secure="false" /> <allow-http-request-headers-from domain="*" headers="*" secure="false" /> </cross-domain-policy> ---- end crossdomain.xml --- Thanks! Dawn ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com ------------------------------------------------------------- ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
