Re: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my!

2010-01-15 Thread John McCormack

Instead of: Policy file 2 is here: 
http://stage.example.com/game/crossdomain.xml:
Try: Policy file 2 here: http://stage.example.com/crossdomain.xml:
and specify /game/ as an okay directory.

John



Steven Loe wrote:
I'm still getting a security sandbox error when the swf tries to get data via https.   What am I doing wrong here? 


The swf is loaded via http at http://stage.example.com/media/swf/game.swf
The credit card data is Loaded/sent via https at 
https://stage.example.com/game/direct_payment
Policy File 1 is here: http://stage.example.com/crossdomain.xml
Policy file 2 is here: http://stage.example.com/game/crossdomain.xml:

Policy File 1:
?xml version=1.0 encoding=utf-8?
!DOCTYPE cross-domain-policy
  SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd'
cross-domain-policy
site-control permitted-cross-domain-policies=all/
allow-access-from domain=*/
/cross-domain-policy

Policy file 2:
?xml version=1.0 encoding=utf-8?
!DOCTYPE cross-domain-policy
  SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd'
cross-domain-policy
allow-access-from domain=*.example.com secure=false/
/cross-domain-policy


Here's my policyfiles.txt log
OK: Root-level SWF loaded: http://stage.example.com/media/swf/game.swf
OK: Searching for allow-access-from in policy files to authorize data loading 
from resource at https://stage.example.com/game/direct_payment by requestor from 
http://stage.example.com/media/swf/game.swf
OK: Policy file accepted: https://stage.example.com/crossdomain.xml
Error: Request for resource at https://stage.example.com/game/direct_payment by 
requestor from http://stage.example.com/media/swf/game.swf is denied due to 
lack of policy file permissions.


Thanks!

--- On Wed, 1/13/10, Glen Pike postmas...@glenpike.co.uk wrote:

  

From: Glen Pike postmas...@glenpike.co.uk
Subject: Re: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my!
To: Flash Coders List flashcoders@chattyfig.figleaf.com
Date: Wednesday, January 13, 2010, 7:07 PM
Hi,

   I think you need to add in the
secure=false and make sure that is the cross domain file
served from the https connection on the server..

   
http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html#allow-access-from-secure

   e.g.

allow-access-from domain=http://stage.example.com; secure=false/

 Not sure about policy file logging - managed on Linux, but
never tried on Mac.  You need to run the Debug player
to get it to log though.

Also, if you are using https, watch out
for www. vs non-www - the SSL certificates sometimes don't
cover both these domain names, so you may have to ensure
your clients always get redirected to the dubs or non-dubs
one, point Firefox at https://www.blah and https://blah and see
if it chucks a security exception.  If this happens,
you could serve the swf over https and redirect requests for
http to https with mod_rewrite in an .htacess file.

HTH


Glen


  
Steven Loe wrote:


Okay I've gotten the server folks to allow me to serve
  

my own crossdomain.xml file. How do I craft a crossdomain
policy file that will allow the swf (served via http) to
access data served via https within the same domain? 


Here's my error:
2048: Security sandbox violation: http://example.com/media/swf/game.swf cannot 
load data
  

from https://example.com/secure/game/direct_payment.


I've tried this: ?xml version=1.0
  

encoding=utf-8?


!DOCTYPE cross-domain-policy
   SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd'
cross-domain-policy
allow-access-from
  

domain=*/


/cross-domain-policy

I've also tried this:
?xml version=1.0?
!DOCTYPE cross-domain-policy SYSTEM 
http://www.adobe.com/xml/dtds/cross-domain-policy.dtd;
cross-domain-policy
site-control
  

permitted-cross-domain-policies=all/


allow-access-from
  

domain=www.example.com/


allow-access-from
  

domain=example.com/


allow-access-from
  

domain=stage.example.com/


allow-access-from
  

domain=www.stage.example.com/


allow-access-from
  

domain=stage.example.com/


allow-access-from domain=http://stage.example.com/
allow-access-from domain=http://www.stage.example.com/
allow-access-from domain=https://stage.example.com/
allow-access-from domain=https://www.stage.example.com/
allow-access-from domain=http://example.com/
allow-access-from domain=http://www.example.com/
allow-access-from domain=https://example.com/
allow-access-from domain=https://www.example.com/
/cross-domain-policy


Neither work. I've tried placing the policy file at
  

root and in the /game folder. No Luck. Any ideas as to what
I'm doing wrong here?


Also, has anyone had luck getting policy file logging
  

to work on osx? I've followed adobe's recipe but there seems
to be no policyfiles.txt log file on my machine.


thanks

Re: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my!

2010-01-15 Thread Henrik Andersson

Steven Loe wrote:

I could load everything over https but it's ~7mb of swf and audio. It's going 
to be slower over https.



I do not believe that it will be too noticeable. The transfer is done 
with a symetric encryption, it is very rare that those changes the data 
size at all (excluding some padding at the end).

___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders


Re: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my!

2010-01-14 Thread Steven Loe
I'm still getting a security sandbox error when the swf tries to get data via 
https.   What am I doing wrong here? 

The swf is loaded via http at http://stage.example.com/media/swf/game.swf
The credit card data is Loaded/sent via https at 
https://stage.example.com/game/direct_payment
Policy File 1 is here: http://stage.example.com/crossdomain.xml
Policy file 2 is here: http://stage.example.com/game/crossdomain.xml:

Policy File 1:
?xml version=1.0 encoding=utf-8?
!DOCTYPE cross-domain-policy
  SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd'
cross-domain-policy
site-control permitted-cross-domain-policies=all/
allow-access-from domain=*/
/cross-domain-policy

Policy file 2:
?xml version=1.0 encoding=utf-8?
!DOCTYPE cross-domain-policy
  SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd'
cross-domain-policy
allow-access-from domain=*.example.com secure=false/
/cross-domain-policy


Here's my policyfiles.txt log
OK: Root-level SWF loaded: http://stage.example.com/media/swf/game.swf
OK: Searching for allow-access-from in policy files to authorize data loading 
from resource at https://stage.example.com/game/direct_payment by requestor 
from http://stage.example.com/media/swf/game.swf
OK: Policy file accepted: https://stage.example.com/crossdomain.xml
Error: Request for resource at https://stage.example.com/game/direct_payment by 
requestor from http://stage.example.com/media/swf/game.swf is denied due to 
lack of policy file permissions.


Thanks!

--- On Wed, 1/13/10, Glen Pike postmas...@glenpike.co.uk wrote:

 From: Glen Pike postmas...@glenpike.co.uk
 Subject: Re: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my!
 To: Flash Coders List flashcoders@chattyfig.figleaf.com
 Date: Wednesday, January 13, 2010, 7:07 PM
 Hi,
 
    I think you need to add in the
 secure=false and make sure that is the cross domain file
 served from the https connection on the server..
 
    http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html#allow-access-from-secure
 
    e.g.
 
     allow-access-from domain=http://stage.example.com; secure=false/
 
  Not sure about policy file logging - managed on Linux, but
 never tried on Mac.  You need to run the Debug player
 to get it to log though.
 
     Also, if you are using https, watch out
 for www. vs non-www - the SSL certificates sometimes don't
 cover both these domain names, so you may have to ensure
 your clients always get redirected to the dubs or non-dubs
 one, point Firefox at https://www.blah and https://blah and see
 if it chucks a security exception.  If this happens,
 you could serve the swf over https and redirect requests for
 http to https with mod_rewrite in an .htacess file.
     
     HTH
 
 Glen
 
 
   
 Steven Loe wrote:
  Okay I've gotten the server folks to allow me to serve
 my own crossdomain.xml file. How do I craft a crossdomain
 policy file that will allow the swf (served via http) to
 access data served via https within the same domain? 
  Here's my error:
  2048: Security sandbox violation: http://example.com/media/swf/game.swf 
  cannot load data
 from https://example.com/secure/game/direct_payment.
  
  I've tried this: ?xml version=1.0
 encoding=utf-8?
  !DOCTYPE cross-domain-policy
    SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd'
  cross-domain-policy
      allow-access-from
 domain=*/
  /cross-domain-policy
  
  I've also tried this:
  ?xml version=1.0?
  !DOCTYPE cross-domain-policy SYSTEM 
  http://www.adobe.com/xml/dtds/cross-domain-policy.dtd;
  cross-domain-policy
      site-control
 permitted-cross-domain-policies=all/
      allow-access-from
 domain=www.example.com/
      allow-access-from
 domain=example.com/
      allow-access-from
 domain=stage.example.com/
      allow-access-from
 domain=www.stage.example.com/
      allow-access-from
 domain=stage.example.com/
      allow-access-from domain=http://stage.example.com/
      allow-access-from domain=http://www.stage.example.com/
      allow-access-from domain=https://stage.example.com/
      allow-access-from domain=https://www.stage.example.com/
      allow-access-from domain=http://example.com/
      allow-access-from domain=http://www.example.com/
      allow-access-from domain=https://example.com/
      allow-access-from domain=https://www.example.com/
  /cross-domain-policy
  
  
  Neither work. I've tried placing the policy file at
 root and in the /game folder. No Luck. Any ideas as to what
 I'm doing wrong here?
  
  Also, has anyone had luck getting policy file logging
 to work on osx? I've followed adobe's recipe but there seems
 to be no policyfiles.txt log file on my machine.
  
  thanks
  
  ___
  Flashcoders mailing list
  Flashcoders@chattyfig.figleaf.com
  http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
  
    
 
 -- 
 Glen Pike
 01326 218440
 www.glenpike.co.uk http://www.glenpike.co.uk

Re: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my!

2010-01-14 Thread Karl DeSaulniers
I think the suggestion of feeding the swf through https may be the  
way to go.

This may allow the new https connection since the swf is already in one.
If you think about it, anything loaded through http does not have the  
security of the https

and so if you load your https data into a http container (your swf),
the server may think its not a secure connection anymore and fire the  
sandbox violation.

Just a though, nothing to back that atm.
GL

Karl


On Jan 14, 2010, at 4:37 PM, Steven Loe wrote:

I'm still getting a security sandbox error when the swf tries to  
get data via https.   What am I doing wrong here?


The swf is loaded via http at http://stage.example.com/media/swf/ 
game.swf
The credit card data is Loaded/sent via https at https:// 
stage.example.com/game/direct_payment

Policy File 1 is here: http://stage.example.com/crossdomain.xml
Policy file 2 is here: http://stage.example.com/game/crossdomain.xml:

Policy File 1:
?xml version=1.0 encoding=utf-8?
!DOCTYPE cross-domain-policy
  SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd'
cross-domain-policy
site-control permitted-cross-domain-policies=all/
allow-access-from domain=*/
/cross-domain-policy

Policy file 2:
?xml version=1.0 encoding=utf-8?
!DOCTYPE cross-domain-policy
  SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd'
cross-domain-policy
allow-access-from domain=*.example.com secure=false/
/cross-domain-policy


Here's my policyfiles.txt log
OK: Root-level SWF loaded: http://stage.example.com/media/swf/game.swf
OK: Searching for allow-access-from in policy files to authorize  
data loading from resource at https://stage.example.com/game/ 
direct_payment by requestor from http://stage.example.com/media/swf/ 
game.swf

OK: Policy file accepted: https://stage.example.com/crossdomain.xml
Error: Request for resource at https://stage.example.com/game/ 
direct_payment by requestor from http://stage.example.com/media/swf/ 
game.swf is denied due to lack of policy file permissions.



Thanks!

--- On Wed, 1/13/10, Glen Pike postmas...@glenpike.co.uk wrote:


From: Glen Pike postmas...@glenpike.co.uk
Subject: Re: [Flashcoders] Crossdomain.xml, shared hosting, https,  
oh my!

To: Flash Coders List flashcoders@chattyfig.figleaf.com
Date: Wednesday, January 13, 2010, 7:07 PM
Hi,

   I think you need to add in the
secure=false and make sure that is the cross domain file
served from the https connection on the server..

   http://www.adobe.com/devnet/articles/ 
crossdomain_policy_file_spec.html#allow-access-from-secure


   e.g.

allow-access-from domain=http://stage.example.com;  
secure=false/


 Not sure about policy file logging - managed on Linux, but
never tried on Mac.  You need to run the Debug player
to get it to log though.

Also, if you are using https, watch out
for www. vs non-www - the SSL certificates sometimes don't
cover both these domain names, so you may have to ensure
your clients always get redirected to the dubs or non-dubs
one, point Firefox at https://www.blah and https://blah and see
if it chucks a security exception.  If this happens,
you could serve the swf over https and redirect requests for
http to https with mod_rewrite in an .htacess file.

HTH

Glen



Steven Loe wrote:

Okay I've gotten the server folks to allow me to serve

my own crossdomain.xml file. How do I craft a crossdomain
policy file that will allow the swf (served via http) to
access data served via https within the same domain?

Here's my error:
2048: Security sandbox violation: http://example.com/media/swf/ 
game.swf cannot load data

from https://example.com/secure/game/direct_payment.


I've tried this: ?xml version=1.0

encoding=utf-8?

!DOCTYPE cross-domain-policy
   SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd'
cross-domain-policy
allow-access-from

domain=*/

/cross-domain-policy

I've also tried this:
?xml version=1.0?
!DOCTYPE cross-domain-policy SYSTEM http://www.adobe.com/xml/ 
dtds/cross-domain-policy.dtd

cross-domain-policy
site-control

permitted-cross-domain-policies=all/

allow-access-from

domain=www.example.com/

allow-access-from

domain=example.com/

allow-access-from

domain=stage.example.com/

allow-access-from

domain=www.stage.example.com/

allow-access-from

domain=stage.example.com/

allow-access-from domain=http://stage.example.com/
allow-access-from domain=http://www.stage.example.com/
allow-access-from domain=https://stage.example.com/
allow-access-from domain=https://www.stage.example.com/
allow-access-from domain=http://example.com/
allow-access-from domain=http://www.example.com/
allow-access-from domain=https://example.com/
allow-access-from domain=https://www.example.com/
/cross-domain-policy


Neither work. I've tried placing the policy file at

root and in the /game folder. No Luck. Any ideas as to what
I'm doing wrong here?


Also, has anyone had luck getting policy file

Re: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my!

2010-01-14 Thread Karl DeSaulniers

One other thing. Maybe try this:
Instead of this -
allow-access-from domain=*.example.com secure=false/

this? -
allow-access-from domain=http://*.example.com; secure=false/

Karl


On Jan 14, 2010, at 4:37 PM, Steven Loe wrote:

I'm still getting a security sandbox error when the swf tries to  
get data via https.   What am I doing wrong here?


The swf is loaded via http at http://stage.example.com/media/swf/ 
game.swf
The credit card data is Loaded/sent via https at https:// 
stage.example.com/game/direct_payment

Policy File 1 is here: http://stage.example.com/crossdomain.xml
Policy file 2 is here: http://stage.example.com/game/crossdomain.xml:

Policy File 1:
?xml version=1.0 encoding=utf-8?
!DOCTYPE cross-domain-policy
  SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd'
cross-domain-policy
site-control permitted-cross-domain-policies=all/
allow-access-from domain=*/
/cross-domain-policy

Policy file 2:
?xml version=1.0 encoding=utf-8?
!DOCTYPE cross-domain-policy
  SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd'
cross-domain-policy
allow-access-from domain=*.example.com secure=false/
/cross-domain-policy


Here's my policyfiles.txt log
OK: Root-level SWF loaded: http://stage.example.com/media/swf/game.swf
OK: Searching for allow-access-from in policy files to authorize  
data loading from resource at https://stage.example.com/game/ 
direct_payment by requestor from http://stage.example.com/media/swf/ 
game.swf

OK: Policy file accepted: https://stage.example.com/crossdomain.xml
Error: Request for resource at https://stage.example.com/game/ 
direct_payment by requestor from http://stage.example.com/media/swf/ 
game.swf is denied due to lack of policy file permissions.



Thanks!

--- On Wed, 1/13/10, Glen Pike postmas...@glenpike.co.uk wrote:


From: Glen Pike postmas...@glenpike.co.uk
Subject: Re: [Flashcoders] Crossdomain.xml, shared hosting, https,  
oh my!

To: Flash Coders List flashcoders@chattyfig.figleaf.com
Date: Wednesday, January 13, 2010, 7:07 PM
Hi,

   I think you need to add in the
secure=false and make sure that is the cross domain file
served from the https connection on the server..

   http://www.adobe.com/devnet/articles/ 
crossdomain_policy_file_spec.html#allow-access-from-secure


   e.g.

allow-access-from domain=http://stage.example.com;  
secure=false/


 Not sure about policy file logging - managed on Linux, but
never tried on Mac.  You need to run the Debug player
to get it to log though.

Also, if you are using https, watch out
for www. vs non-www - the SSL certificates sometimes don't
cover both these domain names, so you may have to ensure
your clients always get redirected to the dubs or non-dubs
one, point Firefox at https://www.blah and https://blah and see
if it chucks a security exception.  If this happens,
you could serve the swf over https and redirect requests for
http to https with mod_rewrite in an .htacess file.

HTH

Glen



Steven Loe wrote:

Okay I've gotten the server folks to allow me to serve

my own crossdomain.xml file. How do I craft a crossdomain
policy file that will allow the swf (served via http) to
access data served via https within the same domain?

Here's my error:
2048: Security sandbox violation: http://example.com/media/swf/ 
game.swf cannot load data

from https://example.com/secure/game/direct_payment.


I've tried this: ?xml version=1.0

encoding=utf-8?

!DOCTYPE cross-domain-policy
   SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd'
cross-domain-policy
allow-access-from

domain=*/

/cross-domain-policy

I've also tried this:
?xml version=1.0?
!DOCTYPE cross-domain-policy SYSTEM http://www.adobe.com/xml/ 
dtds/cross-domain-policy.dtd

cross-domain-policy
site-control

permitted-cross-domain-policies=all/

allow-access-from

domain=www.example.com/

allow-access-from

domain=example.com/

allow-access-from

domain=stage.example.com/

allow-access-from

domain=www.stage.example.com/

allow-access-from

domain=stage.example.com/

allow-access-from domain=http://stage.example.com/
allow-access-from domain=http://www.stage.example.com/
allow-access-from domain=https://stage.example.com/
allow-access-from domain=https://www.stage.example.com/
allow-access-from domain=http://example.com/
allow-access-from domain=http://www.example.com/
allow-access-from domain=https://example.com/
allow-access-from domain=https://www.example.com/
/cross-domain-policy


Neither work. I've tried placing the policy file at

root and in the /game folder. No Luck. Any ideas as to what
I'm doing wrong here?


Also, has anyone had luck getting policy file logging

to work on osx? I've followed adobe's recipe but there seems
to be no policyfiles.txt log file on my machine.


thanks

___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo

Re: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my!

2010-01-14 Thread Steven Loe
I could load everything over https but it's ~7mb of swf and audio. It's going 
to be slower over https. There must be people here that load data into flash 
over https all the time. It can't be this hard.

--- On Thu, 1/14/10, Karl DeSaulniers k...@designdrumm.com wrote:

 From: Karl DeSaulniers k...@designdrumm.com
 I think the suggestion of feeding the
 swf through https may be the way to go.
 
 Karl
 
 
 On Jan 14, 2010, at 4:37 PM, Steven Loe wrote:
 
  I'm still getting a security sandbox error when the
 swf tries to get data via https.   What am I
 doing wrong here?
  
  The swf is loaded via http at http://stage.example.com/media/swf/game.swf
  The credit card data is Loaded/sent via https at 
  https://stage.example.com/game/direct_payment
  Policy File 1 is here: http://stage.example.com/crossdomain.xml
  Policy file 2 is here: http://stage.example.com/game/crossdomain.xml:
  
  Policy File 1:
  ?xml version=1.0 encoding=utf-8?
  !DOCTYPE cross-domain-policy
    SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd'
  cross-domain-policy
      site-control
 permitted-cross-domain-policies=all/
      allow-access-from
 domain=*/
  /cross-domain-policy
  
  Policy file 2:
  ?xml version=1.0 encoding=utf-8?
  !DOCTYPE cross-domain-policy
    SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd'
  cross-domain-policy
      allow-access-from
 domain=*.example.com secure=false/
  /cross-domain-policy
  
  
  Here's my policyfiles.txt log
  OK: Root-level SWF loaded: http://stage.example.com/media/swf/game.swf
  OK: Searching for allow-access-from in policy
 files to authorize data loading from resource at 
 https://stage.example.com/game/direct_payment by
 requestor from http://stage.example.com/media/swf/game.swf
  OK: Policy file accepted: https://stage.example.com/crossdomain.xml
  Error: Request for resource at 
  https://stage.example.com/game/direct_payment by
 requestor from http://stage.example.com/media/swf/game.swf is denied
 due to lack of policy file permissions.
  
  
  Thanks!
  
  --- On Wed, 1/13/10, Glen Pike postmas...@glenpike.co.uk
 wrote:
  
  From: Glen Pike postmas...@glenpike.co.uk
  Subject: Re: [Flashcoders] Crossdomain.xml, shared
 hosting, https, oh my!
  To: Flash Coders List flashcoders@chattyfig.figleaf.com
  Date: Wednesday, January 13, 2010, 7:07 PM
  Hi,
  
     I think you need to add in the
  secure=false and make sure that is the cross
 domain file
  served from the https connection on the server..
  
     
 http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html#allow-access-from-secure
  
     e.g.
  
      allow-access-from
 domain=http://stage.example.com; secure=false/
  
   Not sure about policy file logging - managed
 on Linux, but
  never tried on Mac.  You need to run the
 Debug player
  to get it to log though.
  
      Also, if you are using
 https, watch out
  for www. vs non-www - the SSL certificates
 sometimes don't
  cover both these domain names, so you may have to
 ensure
  your clients always get redirected to the dubs or
 non-dubs
  one, point Firefox at https://www.blah and https://blah and see
  if it chucks a security exception.  If this
 happens,
  you could serve the swf over https and redirect
 requests for
  http to https with mod_rewrite in an .htacess
 file.
  
      HTH
  
  Glen
  
  
  
  Steven Loe wrote:
  Okay I've gotten the server folks to allow me
 to serve
  my own crossdomain.xml file. How do I craft a
 crossdomain
  policy file that will allow the swf (served via
 http) to
  access data served via https within the same
 domain?
  Here's my error:
  2048: Security sandbox violation: http://example.com/media/swf/game.swf 
  cannot load data
  from https://example.com/secure/game/direct_payment.
  
  I've tried this: ?xml version=1.0
  encoding=utf-8?
  !DOCTYPE cross-domain-policy
     SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd'
  cross-domain-policy
      allow-access-from
  domain=*/
  /cross-domain-policy
  
  I've also tried this:
  ?xml version=1.0?
  !DOCTYPE cross-domain-policy SYSTEM 
  http://www.adobe.com/xml/dtds/cross-domain-policy.dtd;
  cross-domain-policy
      site-control
  permitted-cross-domain-policies=all/
      allow-access-from
  domain=www.example.com/
      allow-access-from
  domain=example.com/
      allow-access-from
  domain=stage.example.com/
      allow-access-from
  domain=www.stage.example.com/
      allow-access-from
  domain=stage.example.com/
      allow-access-from
 domain=http://stage.example.com/
      allow-access-from
 domain=http://www.stage.example.com/
      allow-access-from
 domain=https://stage.example.com/
      allow-access-from
 domain=https://www.stage.example.com/
      allow-access-from
 domain=http://example.com/
      allow-access-from
 domain=http://www.example.com/
      allow-access-from
 domain=https://example.com/
      allow-access-from
 domain=https://www.example.com/
  /cross-domain-policy
  
  
  Neither work. I've

[Flashcoders] Crossdomain.xml, shared hosting, https, oh my!

2010-01-13 Thread Steven Loe
Adobe's documentation on this is not crystal clear (to me anyway). Hoping that 
someone who's been down this road can point me in the right direction.

My app is hosted on a shared host (webFaction). The swfs are loaded over http. 
The users credit card data is transmitted over https. All works fine in  the 
flash IDE. However, with the app running in a browser I get:

2048: Security sandbox violation: http://example.com/media/swf/game.swf cannot 
load data from https://example.com/secure/game/direct_payment.

WebFaction serves a global crossdomain.xml file for all it's customers. I don't 
have a way to change the policy file at server root. Here's their file:
?xml version=1.0 encoding=utf-8?
!DOCTYPE cross-domain-policy
  SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd'
cross-domain-policy
allow-access-from domain=*/
/cross-domain-policy

Questions:
1. Given the server configuration, how can I get around the security sandbox 
error when I make a https call?
2. How bad (or not) is the resulting security created by the allow-access-from 
domain=*/ 

Thanks very much
___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders


Re: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my!

2010-01-13 Thread Dave Watts
 1. Given the server configuration, how can I get around the security sandbox 
 error when I make a https call?

Load the SWF itself through HTTPS.

 2. How bad (or not) is the resulting security created by the 
 allow-access-from domain=*/

Well, it allows any Flash program to request public URLs from your
server. But of course that's really the same thing that people can do
with browsers or any other HTTP clients - load public URLs from your
server. So it's more a matter of potentially abusive resource
consumption than anything else, I think.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or onsite.
___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders


Re: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my!

2010-01-13 Thread Glen Pike

Hi,

   I would suggest a workaround is to serve the swf from a secure url 
too - that would reassure browsers that their details are secure - not 
many people will check the status bar, they tend to look for the padlock 
or the address bar - if that's got an https in, then they will be happy, 
you are only stuffed if port 443 points to a different webserver, in 
which case, I would change hosting providers for something more useful.


   The cross-domain policy to serve https to http flash files needs to 
have the secure attribute set to false:


allow-access-from domain=www.company.com secure=false /


   I am not sure about the ramifications of having * for the 
cross-domain - it's not the end of the world, but there are some more 
articles on the devnet if you need:


   
http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_05.html


   HTH

   Glen

  


Steven Loe wrote:

Adobe's documentation on this is not crystal clear (to me anyway). Hoping that 
someone who's been down this road can point me in the right direction.

My app is hosted on a shared host (webFaction). The swfs are loaded over http. 
The users credit card data is transmitted over https. All works fine in  the 
flash IDE. However, with the app running in a browser I get:

2048: Security sandbox violation: http://example.com/media/swf/game.swf cannot 
load data from https://example.com/secure/game/direct_payment.

WebFaction serves a global crossdomain.xml file for all it's customers. I don't 
have a way to change the policy file at server root. Here's their file:
?xml version=1.0 encoding=utf-8?
!DOCTYPE cross-domain-policy
  SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd'
cross-domain-policy
allow-access-from domain=*/
/cross-domain-policy

Questions:
1. Given the server configuration, how can I get around the security sandbox 
error when I make a https call?
2. How bad (or not) is the resulting security created by the allow-access-from domain=*/ 


Thanks very much
___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders

  


--

Glen Pike
01326 218440
www.glenpike.co.uk http://www.glenpike.co.uk

___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders


Re: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my!

2010-01-13 Thread Juan Pablo Califano
I wouldn't worry about point 2).

The only real reason for crossdomains (as I understand, at least) is solving
this potential security hole:

Let's suppose you're in a LAN that has access to some intranet; or to some
servers that you have access to because you're in this LAN, but are not
accessible from the internet, anyway.

So, you can point your broswer to http://www.somesite.com (internet) and
http://myprivate.intranet (LAN access only) and you will reach both. On the
other hand, outside that LAN, you could only reach somesite.com but not
myprivate.intranet.

Since flash runs client side, if there were no crossdomain policy, the swf
you downloaded from www.somesite.com would have access to
myprivate.intranet. It could read data from it and send it back to
www.somesite.com (or somewhere else).

This opens a pontential security hole, especially for corporate intranets.
To prevent this, a host must grant access explicitly. With the crossdomain
files it states that it's ok for swfs downloaded from certain domains to
communicate with it.

So, the only potential problem here would be in your hosting provider's LAN,
as I see it.

Cheers
Juan Pablo Califano



-- Forwarded message --
From: Steven Loe stevenloe5...@yahoo.com
Date: 2010/1/13
Subject: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my!
To: Flashcoders mailing list flashcoders@chattyfig.figleaf.com


Adobe's documentation on this is not crystal clear (to me anyway). Hoping
that someone who's been down this road can point me in the right direction.

My app is hosted on a shared host (webFaction). The swfs are loaded over
http. The users credit card data is transmitted over https. All works fine
in  the flash IDE. However, with the app running in a browser I get:

2048: Security sandbox violation:
http://example.com/media/swf/game.swfcannot load data from
https://example.com/secure/game/direct_payment.

WebFaction serves a global crossdomain.xml file for all it's customers. I
don't have a way to change the policy file at server root. Here's their
file:
?xml version=1.0 encoding=utf-8?
!DOCTYPE cross-domain-policy
 SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd'
cross-domain-policy
   allow-access-from domain=*/
/cross-domain-policy

Questions:
1. Given the server configuration, how can I get around the security sandbox
error when I make a https call?
2. How bad (or not) is the resulting security created by the
allow-access-from domain=*/

Thanks very much
___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders


Re: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my!

2010-01-13 Thread Steven Loe
Okay I've gotten the server folks to allow me to serve my own crossdomain.xml 
file. How do I craft a crossdomain policy file that will allow the swf (served 
via http) to access data served via https within the same domain? 

Here's my error:
2048: Security sandbox violation: http://example.com/media/swf/game.swf cannot 
load data from https://example.com/secure/game/direct_payment.

I've tried this: 
?xml version=1.0 encoding=utf-8?
!DOCTYPE cross-domain-policy
  SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd'
cross-domain-policy
allow-access-from domain=*/
/cross-domain-policy

I've also tried this:
?xml version=1.0?
!DOCTYPE cross-domain-policy SYSTEM 
http://www.adobe.com/xml/dtds/cross-domain-policy.dtd;
cross-domain-policy
site-control permitted-cross-domain-policies=all/
allow-access-from domain=www.example.com/
allow-access-from domain=example.com/
allow-access-from domain=stage.example.com/
allow-access-from domain=www.stage.example.com/
allow-access-from domain=stage.example.com/
allow-access-from domain=http://stage.example.com/
allow-access-from domain=http://www.stage.example.com/
allow-access-from domain=https://stage.example.com/
allow-access-from domain=https://www.stage.example.com/
allow-access-from domain=http://example.com/
allow-access-from domain=http://www.example.com/
allow-access-from domain=https://example.com/
allow-access-from domain=https://www.example.com/
/cross-domain-policy


Neither work. I've tried placing the policy file at root and in the /game 
folder. No Luck. Any ideas as to what I'm doing wrong here?

Also, has anyone had luck getting policy file logging to work on osx? I've 
followed adobe's recipe but there seems to be no policyfiles.txt log file on my 
machine.

thanks

___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders


Re: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my!

2010-01-13 Thread Glen Pike

Hi,

   I think you need to add in the secure=false and make sure that is 
the cross domain file served from the https connection on the server..


   
http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html#allow-access-from-secure


   e.g.

allow-access-from domain=http://stage.example.com; secure=false/

 Not sure about policy file logging - managed on Linux, but never tried on Mac. 
 You need to run the Debug player to get it to log though.

Also, if you are using https, watch out for www. vs non-www - the SSL 
certificates sometimes don't cover both these domain names, so you may have to 
ensure your clients always get redirected to the dubs or non-dubs one, point 
Firefox at https://www.blah and https://blah and see if it chucks a security 
exception.  If this happens, you could serve the swf over https and redirect 
requests for http to https with mod_rewrite in an .htacess file.

HTH

Glen


  


Steven Loe wrote:
Okay I've gotten the server folks to allow me to serve my own crossdomain.xml file. How do I craft a crossdomain policy file that will allow the swf (served via http) to access data served via https within the same domain? 


Here's my error:
2048: Security sandbox violation: http://example.com/media/swf/game.swf cannot 
load data from https://example.com/secure/game/direct_payment.

I've tried this: 
?xml version=1.0 encoding=utf-8?

!DOCTYPE cross-domain-policy
  SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd'
cross-domain-policy
allow-access-from domain=*/
/cross-domain-policy

I've also tried this:
?xml version=1.0?
!DOCTYPE cross-domain-policy SYSTEM 
http://www.adobe.com/xml/dtds/cross-domain-policy.dtd;
cross-domain-policy
site-control permitted-cross-domain-policies=all/
allow-access-from domain=www.example.com/
allow-access-from domain=example.com/
allow-access-from domain=stage.example.com/
allow-access-from domain=www.stage.example.com/
allow-access-from domain=stage.example.com/
allow-access-from domain=http://stage.example.com/
allow-access-from domain=http://www.stage.example.com/
allow-access-from domain=https://stage.example.com/
allow-access-from domain=https://www.stage.example.com/
allow-access-from domain=http://example.com/
allow-access-from domain=http://www.example.com/
allow-access-from domain=https://example.com/
allow-access-from domain=https://www.example.com/
/cross-domain-policy


Neither work. I've tried placing the policy file at root and in the /game 
folder. No Luck. Any ideas as to what I'm doing wrong here?

Also, has anyone had luck getting policy file logging to work on osx? I've 
followed adobe's recipe but there seems to be no policyfiles.txt log file on my 
machine.

thanks

___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders

  


--

Glen Pike
01326 218440
www.glenpike.co.uk http://www.glenpike.co.uk

___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders