Hello and welcome back to my blog!
This time I wanted to talk about the dreaded Security sandbox violation error which Flash will sometimes throw at you when you’re working with external websites, or sockets, or file access across local/web.
What is a security sandbox violation?
Flash applications run inside a security sandbox which prevents them from accessing data they shouldn’t be. For example if your application is web-based, it will be forbidden from accessing files on a user’s local hard drive. If the application is not web-based then it will be forbidden from accessing the web. You can read more about these two types here.
When an application attempts to access data outside of its sandbox, you will see an error which looks similar to this:
********* Security Sandbox Violation ***** Connection to <requested data location> halted - not permitted from <location of swf>
This can happen in a number of different cases:
The application sandbox is set incorrectly
This can happen when the sandbox is configured to be used one way, but is being used in another way by mistake. You can change this setting:
In Flash IDE by going to File->Publish Settings->Flash->Local playback security and choosing either ‘Access local files only’ or ‘Access network only’.
In FlashDevelop by right clicking on your project->Properties->Compiler Options->Use network services
In Amethyst by right clicking on the project in the solution explorer->Properties->Compiler->Use network
You are accessing a web-service across domains
If your application is web-based and is accessing a web-service of some kind on a different domain to the one the .swf file is hosted on you can get a sandbox violation if the domain you are accessing does not have a valid cross domain policy in place.
The root of the domain you are accessing must have a valid crossdomain.xml file.
Here is an example crossdomain.xml:
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <allow-access-from domain="*" /> <site-control permitted-cross-domain-policies="master-only"/> </cross-domain-policy>
Read more on the specification of this file here
You are accessing a web-service from your local machine during development
Because of the two different sandbox modes, when developing an application which accesses a web-service but debugging or running locally you will cause this exception to fire. In order to get around this you will need to tell Flash that you give permission for this to happen.
By going to this web address you can configure this:
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager04a.html
Flash security settings for developers
Click ‘Add location‘ and then chose the location of your .swf file. Be aware that you need to close the web-page before these settings will take effect!
You are communicating with a server through a socket
If you are communicating with a server via a socket, the server must correctly respond to requests for a policy file. Having a crossdomain.xml file in the root of the domain is insufficient for this purpose.
The flash client will send a request to the server which looks like this:
<policy-file-request/>
It will do this first on port 843 and then on the port you chose to connect with the server. You can read more about socket policy files here.
The server must respond with a valid policy file which must be terminated with a \0 null character.
Here is how I store the required response as a string in c#:
public const string kFlashPolicy = "<cross-domain-policy>\r\n" + "\t<allow-access-from domain=\"*\" to-ports=\"{0}\" />\r\n" + "</cross-domain-policy>\r\n\0";
You can then insert the correct port into that string and get the data as bytes like this:
string response = String.Format(kFlashPolicy, port.ToString()); byte[] responseBytes = Encoding.UTF8.GetBytes(response);
Additionally, although the crossdomain.xml file is insufficient on its own to solve this problem, I have found that to ensure good connection on lots of different browsers it’s necessary to call:
Security.loadPolicyFile("http:// <server address> / crossdomain.xml");
Before calling socket.connect() on the client.
Hope these help you in fixing your sandbox violations!
Until next time, have fun!
Cheers, Paul.