flash: crossdomain.xml is ignored

Question

I have some, say, weird situation... Here is what it is:

Flash application which records audio on one server and uploads it on another server. So, as you likely guessed, I faced that security sandbox violation exceptions/errors and it seems I have to add crossdomain.xml to the root of the server. Ok, did it, but it seems it didn't get downloaded or download process is interupted, so I keep getting this errors.

Could somebody point me to my mistakes, please? I really don't getting what I am doing wrong.

Here is the error I get while trying to upload audio:

Error #2044: Unhandled securityError:. text=Error #2170: Security sandbox 
violation: https://ip1/bar/foo cannot send HTTP headers to https://ip2/foo/bar

Here is the content of my crossdomain.xml (test version):

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
    <site-control permitted-cross-domain-policies="all"/>
    <allow-access-from domain="*" to-ports="*" />
    <allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>

p.s. And, yes, crossdomain.xml is accessable via https://ip2/crossdomain.xml address.

ADDITIONAL INFO

I enabled flash logs and was surprised to know that flash is unable to get crossdomain.xml, though it is accessable via browser (with a clause that it is https and it states that there is a certificate issue, or smth like that).

Warning: Failed to load policy file from https://192.168.22.103/crossdomain.xml  

ADDITIONAL INFO PART 2

Here is the warning I have in browser in case I try to access crossdomain.xml manually:

Here is the request to download crossdomain.xml ends up with http status code = 0:

Answer 1

I had a similiar problem; the .swf on localhost was connecting with REST API over https on a remote server, which had a crossdomain file, but it was throwing 2170. For me the solution was to serve the localhost .html file containing the .swf also on https - that made the problem go away.

Answer 2

Finally, I found out what the problem was. As I developed this application for Internet Explorer there was some tricky things to make it work. As you can see in this picture: there is "The security certificate presented by this website was issued for a different website's address" warning. The thing is that Internet Explorer ALWAYS warns users about this by default and this is the problem which prevents flash player from downloading flash policy file (crossdomain.xml). To override this behaviour you just need to:

1. Go to the Internet Explorer settings: Click cogwheel icon -> Internet options
2. Go to advanced tab
3. Scroll down to the end of the settings list and uncheck "Warn about certificate address mismatch".
4. IMPORTANT: Kill all instances of IE (if any, check in the Task Manager).
5. After these steps flash shouldn't have problems with fetching crossdomain.xml.

Really hope that this will help other flex developers avoid such type of issues. Cheers!

Answer 3

I had similar problem. It was a little bit different because I had sockets involved, but I found that there are some changes in how the flash player uses policy files. You may find this helpful http://www.adobe.com/devnet/flashplayer/articles/socket_policy_files.html At least it helped me and I wrote this article, which is like conclusion of my case.

Take a look at this paragraph:

Adobe has filed with IANA, the Internet Assigned Numbers Authority, to reserve port 843 for the purposes of serving socket policy files. By introducing a centralized location for socket policy files, Flash Player enables a system administrator to define what ports are available through one master policy that overrides any other policy file on the host. If Flash Player 9,0,124,0 cannot retrieve a master policy file from port 843, then it requests a socket policy file on the port where it is trying to connect. However, if a policy file is available from a service on TCP port 843, then Flash Player considers that to be the authoritative set of permissions for that system.

In my project I just serve the crossdomain.xml file in a specific port.

Answer 4

Have you tried Security.allowDomain()?