How to use crossdomain.xml for my flash project...?

apache-flex flash actionscript-3 crossdomain.xml
FlyingCat picture FlyingCat · Aug 11, 2010 · Viewed 8.7k times · Source

This drives me crazy...I am trying to build a youtube player with flash and everytime I load a video, there is a runtime security sandbox error..I already put crossdomain.xml in my root server http://mysite.com but I am still getting the errors...Do I miss something? Do I have to load it into my flex project??Thanks for the reply...

My crossdomain.xml

<!-- <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
    <cross-domain-policy>
       <allow-access-from domain="*.youtube.com"/>
        <allow-access-from domain="s.ytimg.com"/>
    </cross-domain-policy> 
 -->

Edit: 20100811T0723; this is the actual XML from http://popslinger.org/crossdomain.xml

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-    policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

Answer

PatrickS picture PatrickS · Aug 11, 2010

I get a lot of errors too but they generally seem to be on YouTube's side

Here's an example:

*** Security Sandbox Violation ***
SecurityDomain 'http://www.youtube.com/apiplayer?version=3' tried to access 
incompatible context 'http://s.ytimg.com/yt/swf/apiplayer3-vfl181412.swf'

As you can see, these are both YouTube domains

So I had a look at YouTube's own crossdomain policy files. It turns out that those files need to be updated. Read the following: http://www.adobe.com/devnet/flashplayer/articles/fplayer10_security_changes_02.html#head1

Here is the policy file from s.ytimg.com

<cross-domain-policy> 
  <allow-access-from domain="*" /> 
</cross-domain-policy>

which throws the following warning

Warning: Domain s.ytimg.com does not specify a meta-policy. Applying default meta-policy 'master-only'. This configuration is deprecated. See http://www.adobe.com/go/strict_policy_files to fix this problem.

and here's what it should look like

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"/>
<allow-access-from domain="*"/>
</cross-domain-policy>

Here's another warning:

Warning: Domain video-stats.video.google.com does not explicitly specify a meta-policy, but Content-Type of policy file http://video-stats.video.google.com/crossdomain.xml is 'text/x-cross-domain-policy'. Applying meta-policy 'by-content-type'.

It looks like YouTube should look into this, all these warnings and security error messages are pretty annoying.

Practically speaking, have a look at the errors, if your domain name doesn't appear anywhere, your crossdomain file is working fine.

Related questions

Why is Flash demanding a crossdomain.xml file when the .swf and http target are both on localhost?

I've got a small client/server test application where I have a Flex app that makes an HTTP request of a server app. The server app is a script running on my local machine, listening on port 8001. The client is …

Read More
For VS Foreach on Array performance (in AS3/Flex)

Which one is faster? Why? var messages:Array = [.....] // 1 - for var len:int = messages.length; for (var i:int = 0; i < len; i++) { var o:Object = messages[i]; // ... } // 2 - foreach for each (var o:Object in messages) { // ... }

Read More
Regex to check if first 2 characters in a string are Alphabets

I'm new to actionscript and i cant seem to get the regex syntax right in actionscript3. The task is straight forward, i want to make sure that the first two characters in a given string are alphabets and nothing else. …

Read More