Re: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my!
Instead of: Policy file 2 is here: http://stage.example.com/game/crossdomain.xml: Try: Policy file 2 here: http://stage.example.com/crossdomain.xml: and specify /game/ as an okay directory. John Steven Loe wrote: I'm still getting a security sandbox error when the swf tries to get data via https. What am I doing wrong here? The swf is loaded via http at http://stage.example.com/media/swf/game.swf The credit card data is Loaded/sent via https at https://stage.example.com/game/direct_payment Policy File 1 is here: http://stage.example.com/crossdomain.xml Policy file 2 is here: http://stage.example.com/game/crossdomain.xml: Policy File 1: ?xml version=1.0 encoding=utf-8? !DOCTYPE cross-domain-policy SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd' cross-domain-policy site-control permitted-cross-domain-policies=all/ allow-access-from domain=*/ /cross-domain-policy Policy file 2: ?xml version=1.0 encoding=utf-8? !DOCTYPE cross-domain-policy SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd' cross-domain-policy allow-access-from domain=*.example.com secure=false/ /cross-domain-policy Here's my policyfiles.txt log OK: Root-level SWF loaded: http://stage.example.com/media/swf/game.swf OK: Searching for allow-access-from in policy files to authorize data loading from resource at https://stage.example.com/game/direct_payment by requestor from http://stage.example.com/media/swf/game.swf OK: Policy file accepted: https://stage.example.com/crossdomain.xml Error: Request for resource at https://stage.example.com/game/direct_payment by requestor from http://stage.example.com/media/swf/game.swf is denied due to lack of policy file permissions. Thanks! --- On Wed, 1/13/10, Glen Pike postmas...@glenpike.co.uk wrote: From: Glen Pike postmas...@glenpike.co.uk Subject: Re: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my! To: Flash Coders List flashcoders@chattyfig.figleaf.com Date: Wednesday, January 13, 2010, 7:07 PM Hi, I think you need to add in the secure=false and make sure that is the cross domain file served from the https connection on the server.. http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html#allow-access-from-secure e.g. allow-access-from domain=http://stage.example.com; secure=false/ Not sure about policy file logging - managed on Linux, but never tried on Mac. You need to run the Debug player to get it to log though. Also, if you are using https, watch out for www. vs non-www - the SSL certificates sometimes don't cover both these domain names, so you may have to ensure your clients always get redirected to the dubs or non-dubs one, point Firefox at https://www.blah and https://blah and see if it chucks a security exception. If this happens, you could serve the swf over https and redirect requests for http to https with mod_rewrite in an .htacess file. HTH Glen Steven Loe wrote: Okay I've gotten the server folks to allow me to serve my own crossdomain.xml file. How do I craft a crossdomain policy file that will allow the swf (served via http) to access data served via https within the same domain? Here's my error: 2048: Security sandbox violation: http://example.com/media/swf/game.swf cannot load data from https://example.com/secure/game/direct_payment. I've tried this: ?xml version=1.0 encoding=utf-8? !DOCTYPE cross-domain-policy SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd' cross-domain-policy allow-access-from domain=*/ /cross-domain-policy I've also tried this: ?xml version=1.0? !DOCTYPE cross-domain-policy SYSTEM http://www.adobe.com/xml/dtds/cross-domain-policy.dtd; cross-domain-policy site-control permitted-cross-domain-policies=all/ allow-access-from domain=www.example.com/ allow-access-from domain=example.com/ allow-access-from domain=stage.example.com/ allow-access-from domain=www.stage.example.com/ allow-access-from domain=stage.example.com/ allow-access-from domain=http://stage.example.com/ allow-access-from domain=http://www.stage.example.com/ allow-access-from domain=https://stage.example.com/ allow-access-from domain=https://www.stage.example.com/ allow-access-from domain=http://example.com/ allow-access-from domain=http://www.example.com/ allow-access-from domain=https://example.com/ allow-access-from domain=https://www.example.com/ /cross-domain-policy Neither work. I've tried placing the policy file at root and in the /game folder. No Luck. Any ideas as to what I'm doing wrong here? Also, has anyone had luck getting policy file logging to work on osx? I've followed adobe's recipe but there seems to be no policyfiles.txt log file on my machine. thanks
Re: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my!
Steven Loe wrote: I could load everything over https but it's ~7mb of swf and audio. It's going to be slower over https. I do not believe that it will be too noticeable. The transfer is done with a symetric encryption, it is very rare that those changes the data size at all (excluding some padding at the end). ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my!
I'm still getting a security sandbox error when the swf tries to get data via https. What am I doing wrong here? The swf is loaded via http at http://stage.example.com/media/swf/game.swf The credit card data is Loaded/sent via https at https://stage.example.com/game/direct_payment Policy File 1 is here: http://stage.example.com/crossdomain.xml Policy file 2 is here: http://stage.example.com/game/crossdomain.xml: Policy File 1: ?xml version=1.0 encoding=utf-8? !DOCTYPE cross-domain-policy SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd' cross-domain-policy site-control permitted-cross-domain-policies=all/ allow-access-from domain=*/ /cross-domain-policy Policy file 2: ?xml version=1.0 encoding=utf-8? !DOCTYPE cross-domain-policy SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd' cross-domain-policy allow-access-from domain=*.example.com secure=false/ /cross-domain-policy Here's my policyfiles.txt log OK: Root-level SWF loaded: http://stage.example.com/media/swf/game.swf OK: Searching for allow-access-from in policy files to authorize data loading from resource at https://stage.example.com/game/direct_payment by requestor from http://stage.example.com/media/swf/game.swf OK: Policy file accepted: https://stage.example.com/crossdomain.xml Error: Request for resource at https://stage.example.com/game/direct_payment by requestor from http://stage.example.com/media/swf/game.swf is denied due to lack of policy file permissions. Thanks! --- On Wed, 1/13/10, Glen Pike postmas...@glenpike.co.uk wrote: From: Glen Pike postmas...@glenpike.co.uk Subject: Re: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my! To: Flash Coders List flashcoders@chattyfig.figleaf.com Date: Wednesday, January 13, 2010, 7:07 PM Hi, I think you need to add in the secure=false and make sure that is the cross domain file served from the https connection on the server.. http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html#allow-access-from-secure e.g. allow-access-from domain=http://stage.example.com; secure=false/ Not sure about policy file logging - managed on Linux, but never tried on Mac. You need to run the Debug player to get it to log though. Also, if you are using https, watch out for www. vs non-www - the SSL certificates sometimes don't cover both these domain names, so you may have to ensure your clients always get redirected to the dubs or non-dubs one, point Firefox at https://www.blah and https://blah and see if it chucks a security exception. If this happens, you could serve the swf over https and redirect requests for http to https with mod_rewrite in an .htacess file. HTH Glen Steven Loe wrote: Okay I've gotten the server folks to allow me to serve my own crossdomain.xml file. How do I craft a crossdomain policy file that will allow the swf (served via http) to access data served via https within the same domain? Here's my error: 2048: Security sandbox violation: http://example.com/media/swf/game.swf cannot load data from https://example.com/secure/game/direct_payment. I've tried this: ?xml version=1.0 encoding=utf-8? !DOCTYPE cross-domain-policy SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd' cross-domain-policy allow-access-from domain=*/ /cross-domain-policy I've also tried this: ?xml version=1.0? !DOCTYPE cross-domain-policy SYSTEM http://www.adobe.com/xml/dtds/cross-domain-policy.dtd; cross-domain-policy site-control permitted-cross-domain-policies=all/ allow-access-from domain=www.example.com/ allow-access-from domain=example.com/ allow-access-from domain=stage.example.com/ allow-access-from domain=www.stage.example.com/ allow-access-from domain=stage.example.com/ allow-access-from domain=http://stage.example.com/ allow-access-from domain=http://www.stage.example.com/ allow-access-from domain=https://stage.example.com/ allow-access-from domain=https://www.stage.example.com/ allow-access-from domain=http://example.com/ allow-access-from domain=http://www.example.com/ allow-access-from domain=https://example.com/ allow-access-from domain=https://www.example.com/ /cross-domain-policy Neither work. I've tried placing the policy file at root and in the /game folder. No Luck. Any ideas as to what I'm doing wrong here? Also, has anyone had luck getting policy file logging to work on osx? I've followed adobe's recipe but there seems to be no policyfiles.txt log file on my machine. thanks ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders -- Glen Pike 01326 218440 www.glenpike.co.uk http://www.glenpike.co.uk
Re: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my!
I think the suggestion of feeding the swf through https may be the way to go. This may allow the new https connection since the swf is already in one. If you think about it, anything loaded through http does not have the security of the https and so if you load your https data into a http container (your swf), the server may think its not a secure connection anymore and fire the sandbox violation. Just a though, nothing to back that atm. GL Karl On Jan 14, 2010, at 4:37 PM, Steven Loe wrote: I'm still getting a security sandbox error when the swf tries to get data via https. What am I doing wrong here? The swf is loaded via http at http://stage.example.com/media/swf/ game.swf The credit card data is Loaded/sent via https at https:// stage.example.com/game/direct_payment Policy File 1 is here: http://stage.example.com/crossdomain.xml Policy file 2 is here: http://stage.example.com/game/crossdomain.xml: Policy File 1: ?xml version=1.0 encoding=utf-8? !DOCTYPE cross-domain-policy SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd' cross-domain-policy site-control permitted-cross-domain-policies=all/ allow-access-from domain=*/ /cross-domain-policy Policy file 2: ?xml version=1.0 encoding=utf-8? !DOCTYPE cross-domain-policy SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd' cross-domain-policy allow-access-from domain=*.example.com secure=false/ /cross-domain-policy Here's my policyfiles.txt log OK: Root-level SWF loaded: http://stage.example.com/media/swf/game.swf OK: Searching for allow-access-from in policy files to authorize data loading from resource at https://stage.example.com/game/ direct_payment by requestor from http://stage.example.com/media/swf/ game.swf OK: Policy file accepted: https://stage.example.com/crossdomain.xml Error: Request for resource at https://stage.example.com/game/ direct_payment by requestor from http://stage.example.com/media/swf/ game.swf is denied due to lack of policy file permissions. Thanks! --- On Wed, 1/13/10, Glen Pike postmas...@glenpike.co.uk wrote: From: Glen Pike postmas...@glenpike.co.uk Subject: Re: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my! To: Flash Coders List flashcoders@chattyfig.figleaf.com Date: Wednesday, January 13, 2010, 7:07 PM Hi, I think you need to add in the secure=false and make sure that is the cross domain file served from the https connection on the server.. http://www.adobe.com/devnet/articles/ crossdomain_policy_file_spec.html#allow-access-from-secure e.g. allow-access-from domain=http://stage.example.com; secure=false/ Not sure about policy file logging - managed on Linux, but never tried on Mac. You need to run the Debug player to get it to log though. Also, if you are using https, watch out for www. vs non-www - the SSL certificates sometimes don't cover both these domain names, so you may have to ensure your clients always get redirected to the dubs or non-dubs one, point Firefox at https://www.blah and https://blah and see if it chucks a security exception. If this happens, you could serve the swf over https and redirect requests for http to https with mod_rewrite in an .htacess file. HTH Glen Steven Loe wrote: Okay I've gotten the server folks to allow me to serve my own crossdomain.xml file. How do I craft a crossdomain policy file that will allow the swf (served via http) to access data served via https within the same domain? Here's my error: 2048: Security sandbox violation: http://example.com/media/swf/ game.swf cannot load data from https://example.com/secure/game/direct_payment. I've tried this: ?xml version=1.0 encoding=utf-8? !DOCTYPE cross-domain-policy SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd' cross-domain-policy allow-access-from domain=*/ /cross-domain-policy I've also tried this: ?xml version=1.0? !DOCTYPE cross-domain-policy SYSTEM http://www.adobe.com/xml/ dtds/cross-domain-policy.dtd cross-domain-policy site-control permitted-cross-domain-policies=all/ allow-access-from domain=www.example.com/ allow-access-from domain=example.com/ allow-access-from domain=stage.example.com/ allow-access-from domain=www.stage.example.com/ allow-access-from domain=stage.example.com/ allow-access-from domain=http://stage.example.com/ allow-access-from domain=http://www.stage.example.com/ allow-access-from domain=https://stage.example.com/ allow-access-from domain=https://www.stage.example.com/ allow-access-from domain=http://example.com/ allow-access-from domain=http://www.example.com/ allow-access-from domain=https://example.com/ allow-access-from domain=https://www.example.com/ /cross-domain-policy Neither work. I've tried placing the policy file at root and in the /game folder. No Luck. Any ideas as to what I'm doing wrong here? Also, has anyone had luck getting policy file
Re: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my!
One other thing. Maybe try this: Instead of this - allow-access-from domain=*.example.com secure=false/ this? - allow-access-from domain=http://*.example.com; secure=false/ Karl On Jan 14, 2010, at 4:37 PM, Steven Loe wrote: I'm still getting a security sandbox error when the swf tries to get data via https. What am I doing wrong here? The swf is loaded via http at http://stage.example.com/media/swf/ game.swf The credit card data is Loaded/sent via https at https:// stage.example.com/game/direct_payment Policy File 1 is here: http://stage.example.com/crossdomain.xml Policy file 2 is here: http://stage.example.com/game/crossdomain.xml: Policy File 1: ?xml version=1.0 encoding=utf-8? !DOCTYPE cross-domain-policy SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd' cross-domain-policy site-control permitted-cross-domain-policies=all/ allow-access-from domain=*/ /cross-domain-policy Policy file 2: ?xml version=1.0 encoding=utf-8? !DOCTYPE cross-domain-policy SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd' cross-domain-policy allow-access-from domain=*.example.com secure=false/ /cross-domain-policy Here's my policyfiles.txt log OK: Root-level SWF loaded: http://stage.example.com/media/swf/game.swf OK: Searching for allow-access-from in policy files to authorize data loading from resource at https://stage.example.com/game/ direct_payment by requestor from http://stage.example.com/media/swf/ game.swf OK: Policy file accepted: https://stage.example.com/crossdomain.xml Error: Request for resource at https://stage.example.com/game/ direct_payment by requestor from http://stage.example.com/media/swf/ game.swf is denied due to lack of policy file permissions. Thanks! --- On Wed, 1/13/10, Glen Pike postmas...@glenpike.co.uk wrote: From: Glen Pike postmas...@glenpike.co.uk Subject: Re: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my! To: Flash Coders List flashcoders@chattyfig.figleaf.com Date: Wednesday, January 13, 2010, 7:07 PM Hi, I think you need to add in the secure=false and make sure that is the cross domain file served from the https connection on the server.. http://www.adobe.com/devnet/articles/ crossdomain_policy_file_spec.html#allow-access-from-secure e.g. allow-access-from domain=http://stage.example.com; secure=false/ Not sure about policy file logging - managed on Linux, but never tried on Mac. You need to run the Debug player to get it to log though. Also, if you are using https, watch out for www. vs non-www - the SSL certificates sometimes don't cover both these domain names, so you may have to ensure your clients always get redirected to the dubs or non-dubs one, point Firefox at https://www.blah and https://blah and see if it chucks a security exception. If this happens, you could serve the swf over https and redirect requests for http to https with mod_rewrite in an .htacess file. HTH Glen Steven Loe wrote: Okay I've gotten the server folks to allow me to serve my own crossdomain.xml file. How do I craft a crossdomain policy file that will allow the swf (served via http) to access data served via https within the same domain? Here's my error: 2048: Security sandbox violation: http://example.com/media/swf/ game.swf cannot load data from https://example.com/secure/game/direct_payment. I've tried this: ?xml version=1.0 encoding=utf-8? !DOCTYPE cross-domain-policy SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd' cross-domain-policy allow-access-from domain=*/ /cross-domain-policy I've also tried this: ?xml version=1.0? !DOCTYPE cross-domain-policy SYSTEM http://www.adobe.com/xml/ dtds/cross-domain-policy.dtd cross-domain-policy site-control permitted-cross-domain-policies=all/ allow-access-from domain=www.example.com/ allow-access-from domain=example.com/ allow-access-from domain=stage.example.com/ allow-access-from domain=www.stage.example.com/ allow-access-from domain=stage.example.com/ allow-access-from domain=http://stage.example.com/ allow-access-from domain=http://www.stage.example.com/ allow-access-from domain=https://stage.example.com/ allow-access-from domain=https://www.stage.example.com/ allow-access-from domain=http://example.com/ allow-access-from domain=http://www.example.com/ allow-access-from domain=https://example.com/ allow-access-from domain=https://www.example.com/ /cross-domain-policy Neither work. I've tried placing the policy file at root and in the /game folder. No Luck. Any ideas as to what I'm doing wrong here? Also, has anyone had luck getting policy file logging to work on osx? I've followed adobe's recipe but there seems to be no policyfiles.txt log file on my machine. thanks ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo
Re: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my!
I could load everything over https but it's ~7mb of swf and audio. It's going to be slower over https. There must be people here that load data into flash over https all the time. It can't be this hard. --- On Thu, 1/14/10, Karl DeSaulniers k...@designdrumm.com wrote: From: Karl DeSaulniers k...@designdrumm.com I think the suggestion of feeding the swf through https may be the way to go. Karl On Jan 14, 2010, at 4:37 PM, Steven Loe wrote: I'm still getting a security sandbox error when the swf tries to get data via https. What am I doing wrong here? The swf is loaded via http at http://stage.example.com/media/swf/game.swf The credit card data is Loaded/sent via https at https://stage.example.com/game/direct_payment Policy File 1 is here: http://stage.example.com/crossdomain.xml Policy file 2 is here: http://stage.example.com/game/crossdomain.xml: Policy File 1: ?xml version=1.0 encoding=utf-8? !DOCTYPE cross-domain-policy SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd' cross-domain-policy site-control permitted-cross-domain-policies=all/ allow-access-from domain=*/ /cross-domain-policy Policy file 2: ?xml version=1.0 encoding=utf-8? !DOCTYPE cross-domain-policy SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd' cross-domain-policy allow-access-from domain=*.example.com secure=false/ /cross-domain-policy Here's my policyfiles.txt log OK: Root-level SWF loaded: http://stage.example.com/media/swf/game.swf OK: Searching for allow-access-from in policy files to authorize data loading from resource at https://stage.example.com/game/direct_payment by requestor from http://stage.example.com/media/swf/game.swf OK: Policy file accepted: https://stage.example.com/crossdomain.xml Error: Request for resource at https://stage.example.com/game/direct_payment by requestor from http://stage.example.com/media/swf/game.swf is denied due to lack of policy file permissions. Thanks! --- On Wed, 1/13/10, Glen Pike postmas...@glenpike.co.uk wrote: From: Glen Pike postmas...@glenpike.co.uk Subject: Re: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my! To: Flash Coders List flashcoders@chattyfig.figleaf.com Date: Wednesday, January 13, 2010, 7:07 PM Hi, I think you need to add in the secure=false and make sure that is the cross domain file served from the https connection on the server.. http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html#allow-access-from-secure e.g. allow-access-from domain=http://stage.example.com; secure=false/ Not sure about policy file logging - managed on Linux, but never tried on Mac. You need to run the Debug player to get it to log though. Also, if you are using https, watch out for www. vs non-www - the SSL certificates sometimes don't cover both these domain names, so you may have to ensure your clients always get redirected to the dubs or non-dubs one, point Firefox at https://www.blah and https://blah and see if it chucks a security exception. If this happens, you could serve the swf over https and redirect requests for http to https with mod_rewrite in an .htacess file. HTH Glen Steven Loe wrote: Okay I've gotten the server folks to allow me to serve my own crossdomain.xml file. How do I craft a crossdomain policy file that will allow the swf (served via http) to access data served via https within the same domain? Here's my error: 2048: Security sandbox violation: http://example.com/media/swf/game.swf cannot load data from https://example.com/secure/game/direct_payment. I've tried this: ?xml version=1.0 encoding=utf-8? !DOCTYPE cross-domain-policy SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd' cross-domain-policy allow-access-from domain=*/ /cross-domain-policy I've also tried this: ?xml version=1.0? !DOCTYPE cross-domain-policy SYSTEM http://www.adobe.com/xml/dtds/cross-domain-policy.dtd; cross-domain-policy site-control permitted-cross-domain-policies=all/ allow-access-from domain=www.example.com/ allow-access-from domain=example.com/ allow-access-from domain=stage.example.com/ allow-access-from domain=www.stage.example.com/ allow-access-from domain=stage.example.com/ allow-access-from domain=http://stage.example.com/ allow-access-from domain=http://www.stage.example.com/ allow-access-from domain=https://stage.example.com/ allow-access-from domain=https://www.stage.example.com/ allow-access-from domain=http://example.com/ allow-access-from domain=http://www.example.com/ allow-access-from domain=https://example.com/ allow-access-from domain=https://www.example.com/ /cross-domain-policy Neither work. I've
[Flashcoders] Crossdomain.xml, shared hosting, https, oh my!
Adobe's documentation on this is not crystal clear (to me anyway). Hoping that someone who's been down this road can point me in the right direction. My app is hosted on a shared host (webFaction). The swfs are loaded over http. The users credit card data is transmitted over https. All works fine in the flash IDE. However, with the app running in a browser I get: 2048: Security sandbox violation: http://example.com/media/swf/game.swf cannot load data from https://example.com/secure/game/direct_payment. WebFaction serves a global crossdomain.xml file for all it's customers. I don't have a way to change the policy file at server root. Here's their file: ?xml version=1.0 encoding=utf-8? !DOCTYPE cross-domain-policy SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd' cross-domain-policy allow-access-from domain=*/ /cross-domain-policy Questions: 1. Given the server configuration, how can I get around the security sandbox error when I make a https call? 2. How bad (or not) is the resulting security created by the allow-access-from domain=*/ Thanks very much ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my!
1. Given the server configuration, how can I get around the security sandbox error when I make a https call? Load the SWF itself through HTTPS. 2. How bad (or not) is the resulting security created by the allow-access-from domain=*/ Well, it allows any Flash program to request public URLs from your server. But of course that's really the same thing that people can do with browsers or any other HTTP clients - load public URLs from your server. So it's more a matter of potentially abusive resource consumption than anything else, I think. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my!
Hi, I would suggest a workaround is to serve the swf from a secure url too - that would reassure browsers that their details are secure - not many people will check the status bar, they tend to look for the padlock or the address bar - if that's got an https in, then they will be happy, you are only stuffed if port 443 points to a different webserver, in which case, I would change hosting providers for something more useful. The cross-domain policy to serve https to http flash files needs to have the secure attribute set to false: allow-access-from domain=www.company.com secure=false / I am not sure about the ramifications of having * for the cross-domain - it's not the end of the world, but there are some more articles on the devnet if you need: http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_05.html HTH Glen Steven Loe wrote: Adobe's documentation on this is not crystal clear (to me anyway). Hoping that someone who's been down this road can point me in the right direction. My app is hosted on a shared host (webFaction). The swfs are loaded over http. The users credit card data is transmitted over https. All works fine in the flash IDE. However, with the app running in a browser I get: 2048: Security sandbox violation: http://example.com/media/swf/game.swf cannot load data from https://example.com/secure/game/direct_payment. WebFaction serves a global crossdomain.xml file for all it's customers. I don't have a way to change the policy file at server root. Here's their file: ?xml version=1.0 encoding=utf-8? !DOCTYPE cross-domain-policy SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd' cross-domain-policy allow-access-from domain=*/ /cross-domain-policy Questions: 1. Given the server configuration, how can I get around the security sandbox error when I make a https call? 2. How bad (or not) is the resulting security created by the allow-access-from domain=*/ Thanks very much ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders -- Glen Pike 01326 218440 www.glenpike.co.uk http://www.glenpike.co.uk ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my!
I wouldn't worry about point 2). The only real reason for crossdomains (as I understand, at least) is solving this potential security hole: Let's suppose you're in a LAN that has access to some intranet; or to some servers that you have access to because you're in this LAN, but are not accessible from the internet, anyway. So, you can point your broswer to http://www.somesite.com (internet) and http://myprivate.intranet (LAN access only) and you will reach both. On the other hand, outside that LAN, you could only reach somesite.com but not myprivate.intranet. Since flash runs client side, if there were no crossdomain policy, the swf you downloaded from www.somesite.com would have access to myprivate.intranet. It could read data from it and send it back to www.somesite.com (or somewhere else). This opens a pontential security hole, especially for corporate intranets. To prevent this, a host must grant access explicitly. With the crossdomain files it states that it's ok for swfs downloaded from certain domains to communicate with it. So, the only potential problem here would be in your hosting provider's LAN, as I see it. Cheers Juan Pablo Califano -- Forwarded message -- From: Steven Loe stevenloe5...@yahoo.com Date: 2010/1/13 Subject: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my! To: Flashcoders mailing list flashcoders@chattyfig.figleaf.com Adobe's documentation on this is not crystal clear (to me anyway). Hoping that someone who's been down this road can point me in the right direction. My app is hosted on a shared host (webFaction). The swfs are loaded over http. The users credit card data is transmitted over https. All works fine in the flash IDE. However, with the app running in a browser I get: 2048: Security sandbox violation: http://example.com/media/swf/game.swfcannot load data from https://example.com/secure/game/direct_payment. WebFaction serves a global crossdomain.xml file for all it's customers. I don't have a way to change the policy file at server root. Here's their file: ?xml version=1.0 encoding=utf-8? !DOCTYPE cross-domain-policy SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd' cross-domain-policy allow-access-from domain=*/ /cross-domain-policy Questions: 1. Given the server configuration, how can I get around the security sandbox error when I make a https call? 2. How bad (or not) is the resulting security created by the allow-access-from domain=*/ Thanks very much ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my!
Okay I've gotten the server folks to allow me to serve my own crossdomain.xml file. How do I craft a crossdomain policy file that will allow the swf (served via http) to access data served via https within the same domain? Here's my error: 2048: Security sandbox violation: http://example.com/media/swf/game.swf cannot load data from https://example.com/secure/game/direct_payment. I've tried this: ?xml version=1.0 encoding=utf-8? !DOCTYPE cross-domain-policy SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd' cross-domain-policy allow-access-from domain=*/ /cross-domain-policy I've also tried this: ?xml version=1.0? !DOCTYPE cross-domain-policy SYSTEM http://www.adobe.com/xml/dtds/cross-domain-policy.dtd; cross-domain-policy site-control permitted-cross-domain-policies=all/ allow-access-from domain=www.example.com/ allow-access-from domain=example.com/ allow-access-from domain=stage.example.com/ allow-access-from domain=www.stage.example.com/ allow-access-from domain=stage.example.com/ allow-access-from domain=http://stage.example.com/ allow-access-from domain=http://www.stage.example.com/ allow-access-from domain=https://stage.example.com/ allow-access-from domain=https://www.stage.example.com/ allow-access-from domain=http://example.com/ allow-access-from domain=http://www.example.com/ allow-access-from domain=https://example.com/ allow-access-from domain=https://www.example.com/ /cross-domain-policy Neither work. I've tried placing the policy file at root and in the /game folder. No Luck. Any ideas as to what I'm doing wrong here? Also, has anyone had luck getting policy file logging to work on osx? I've followed adobe's recipe but there seems to be no policyfiles.txt log file on my machine. thanks ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my!
Hi, I think you need to add in the secure=false and make sure that is the cross domain file served from the https connection on the server.. http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html#allow-access-from-secure e.g. allow-access-from domain=http://stage.example.com; secure=false/ Not sure about policy file logging - managed on Linux, but never tried on Mac. You need to run the Debug player to get it to log though. Also, if you are using https, watch out for www. vs non-www - the SSL certificates sometimes don't cover both these domain names, so you may have to ensure your clients always get redirected to the dubs or non-dubs one, point Firefox at https://www.blah and https://blah and see if it chucks a security exception. If this happens, you could serve the swf over https and redirect requests for http to https with mod_rewrite in an .htacess file. HTH Glen Steven Loe wrote: Okay I've gotten the server folks to allow me to serve my own crossdomain.xml file. How do I craft a crossdomain policy file that will allow the swf (served via http) to access data served via https within the same domain? Here's my error: 2048: Security sandbox violation: http://example.com/media/swf/game.swf cannot load data from https://example.com/secure/game/direct_payment. I've tried this: ?xml version=1.0 encoding=utf-8? !DOCTYPE cross-domain-policy SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd' cross-domain-policy allow-access-from domain=*/ /cross-domain-policy I've also tried this: ?xml version=1.0? !DOCTYPE cross-domain-policy SYSTEM http://www.adobe.com/xml/dtds/cross-domain-policy.dtd; cross-domain-policy site-control permitted-cross-domain-policies=all/ allow-access-from domain=www.example.com/ allow-access-from domain=example.com/ allow-access-from domain=stage.example.com/ allow-access-from domain=www.stage.example.com/ allow-access-from domain=stage.example.com/ allow-access-from domain=http://stage.example.com/ allow-access-from domain=http://www.stage.example.com/ allow-access-from domain=https://stage.example.com/ allow-access-from domain=https://www.stage.example.com/ allow-access-from domain=http://example.com/ allow-access-from domain=http://www.example.com/ allow-access-from domain=https://example.com/ allow-access-from domain=https://www.example.com/ /cross-domain-policy Neither work. I've tried placing the policy file at root and in the /game folder. No Luck. Any ideas as to what I'm doing wrong here? Also, has anyone had luck getting policy file logging to work on osx? I've followed adobe's recipe but there seems to be no policyfiles.txt log file on my machine. thanks ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders -- Glen Pike 01326 218440 www.glenpike.co.uk http://www.glenpike.co.uk ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders