Node.js – How to fix this (probably) cross domain policy error using Flash, Socket.IO and NodeJS

actionscript-3cross-domainnode.jssocket.io

Error #2044: Unhandled SecurityErrorEvent:. text=Error #2048: Security sandbox violation: http://kipos.bluecodestudio.com/holdthebomb/HoldTheBombWeb.swf cannot load data from http://23.29.126.76:8000/socket.io/1/?t=1356891827452.
    at io::Socket/doHandshake()[/Users/airrider3/github/AS3-Socket.IO-XHR-Polling/xhr-polling/src/io/Socket.as:139]
    at io::Socket/connect()[/Users/airrider3/github/AS3-Socket.IO-XHR-Polling/xhr-polling/src/io/Socket.as:110]
    at io::Socket()[/Users/airrider3/github/AS3-Socket.IO-XHR-Polling/xhr-polling/src/io/Socket.as:90]
    at io::IO$/connect()[/Users/airrider3/github/AS3-Socket.IO-XHR-Polling/xhr-polling/src/io/IO.as:36]
    at MainController/endOfbluecodeSplash()[/Users/airrider3/Dropbox/Projects/Kipos/Minigames/HoldTheBombWeb/src/MainController.as:41]
    at bluecodeSplash/endOfSplash()[/Users/airrider3/Dropbox/Projects/Kipos/Minigames/HoldTheBombWeb/src/bluecodeSplash.as:55]
    at Function/http://adobe.com/AS3/2006/builtin::apply()
    at com.greensock.core::TweenCore/complete()[D:\_Flash\_AS3\src\com\greensock\core\TweenCore.as:178]
    at com.greensock::TweenLite/renderTime()[D:\_Flash\_AS3\src\com\greensock\TweenLite.as:477]
    at com.greensock.core::SimpleTimeline/renderTime()[D:\_Flash\_AS3\src\com\greensock\core\SimpleTimeline.as:93]
    at com.greensock::TweenLite$/updateAll()[D:\_Flash\_AS3\src\com\greensock\TweenLite.as:642]

I'm using Flash Builder, an ActionScript project, which connects to a server running NodeJS using the Socket.IO module.

To connect Socket.IO with AS3 I'm using the following library https://github.com/sbquinlan/AS3-Socket.IO-XHR-Polling
which works perfectly while testing in local, from Flash Builder.

However, if hosted on my domain [http://kipos.bluecodestudio.com/holdthebomb/], I suppose it raises this SecurityErrorEvent because I am not using any crossdomain.xml files correctly? I've never gotten along with this topic, to be honest, so I'm not sure if this is the error.

In any case, I have the following crossdomain.xml file:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only"/>
   <allow-access-from domain="*" to-ports="*"/>
</cross-domain-policy>

I have it in different places on my server. (Should it be on the hosting client?). Yes, the game is hosted on bluecodestudio.com, while the game's server is on the IP 23.29.126.76, running on the port 8000.

If it's the case of the crossdomain policy error, is anyone kind to explain what should be done to fix the problem?

Thanks for your attention.

Update 1:

I set up a server listening on port 843 giving the crossdomain file, but I can see how Flash doesn't try to load it. (I tested the command python -c 'print "<policy-file-request/>%c" % 0' | nc 23.29.126.76 843 and checked how the policy server indeed works.

How come the SWF doesn't try to load a crossdomain policy file?

Best Answer

Crossdomain policy file should be hosted on machine where the server is running i.e. on the 23.29.126.76. For socket connection flash players automatically try to load master crossdomain policy file from the port 843 (You can get simple policy server script from adobe.com http://www.adobe.com/cn/devnet/flashplayer/articles/socket_policy_files.html)

UPD: Use Security.loadPolicyFile("xmlsocket://23.29.126.76:843"); to load policy file directly, but as I wrote flash player already do the same automatically (for port 843), it sends the string request "<policy-file-request/>\0".

debugging policy

To debug the policy server do the following:

Be sure you have the debug flash player.
Check that server installing is correct by the command (linux, mac or cygwin on Windows): echo -ne '<policy-file-request/>\0' | nc -v host port. This command should print out your crossdomain.xml file
Turn on the flash player policy log by setting the flag PolicyFileLog=1 in mm.cfg file (be sure you have the debug version of flash player), run swf file and read the policy log, it has user friendly format, you will be able to figure out the problem in most cases by this log.

Related Solutions

Javascript – How to send a cross-domain POST request via JavaScript

Update: Before continuing everyone should read and understand the html5rocks tutorial on CORS. It is easy to understand and very clear.

If you control the server being POSTed, simply leverage the "Cross-Origin Resource Sharing standard" by setting response headers on the server. This answer is discussed in other answers in this thread, but not very clearly in my opinion.

In short here is how you accomplish the cross domain POST from from.com/1.html to to.com/postHere.php (using PHP as an example). Note: you only need to set Access-Control-Allow-Origin for NON OPTIONS requests - this example always sets all headers for a smaller code snippet.

In postHere.php setup the following:

switch ($_SERVER['HTTP_ORIGIN']) {
    case 'http://from.com': case 'https://from.com':
    header('Access-Control-Allow-Origin: '.$_SERVER['HTTP_ORIGIN']);
    header('Access-Control-Allow-Methods: GET, PUT, POST, DELETE, OPTIONS');
    header('Access-Control-Max-Age: 1000');
    header('Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With');
    break;
}

This allows your script to make cross domain POST, GET and OPTIONS. This will become clear as you continue to read...

Setup your cross domain POST from JS (jQuery example):

$.ajax({
    type: 'POST',
    url: 'https://to.com/postHere.php',
    crossDomain: true,
    data: '{"some":"json"}',
    dataType: 'json',
    success: function(responseData, textStatus, jqXHR) {
        var value = responseData.someKey;
    },
    error: function (responseData, textStatus, errorThrown) {
        alert('POST failed.');
    }
});

When you do the POST in step 2, your browser will send a "OPTIONS" method to the server. This is a "sniff" by the browser to see if the server is cool with you POSTing to it. The server responds with an "Access-Control-Allow-Origin" telling the browser its OK to POST|GET|ORIGIN if request originated from "http://from.com" or "https://from.com". Since the server is OK with it, the browser will make a 2nd request (this time a POST). It is good practice to have your client set the content type it is sending - so you'll need to allow that as well.

MDN has a great write-up about HTTP access control, that goes into detail of how the entire flow works. According to their docs, it should "work in browsers that support cross-site XMLHttpRequest". This is a bit misleading however, as I THINK only modern browsers allow cross domain POST. I have only verified this works with safari,chrome,FF 3.6.

Keep in mind the following if you do this:

Your server will have to handle 2 requests per operation
You will have to think about the security implications. Be careful before doing something like 'Access-Control-Allow-Origin: *'
This wont work on mobile browsers. In my experience they do not allow cross domain POST at all. I've tested android, iPad, iPhone
There is a pretty big bug in FF < 3.6 where if the server returns a non 400 response code AND there is a response body (validation errors for example), FF 3.6 wont get the response body. This is a huge pain in the ass, since you cant use good REST practices. See bug here (its filed under jQuery, but my guess is its a FF bug - seems to be fixed in FF4).
Always return the headers above, not just on OPTION requests. FF needs it in the response from the POST.

Node.js – How to update NodeJS and NPM to the next versions

See the docs for the update command:

npm update [-g] [<pkg>...]

This command will update all the packages listed to the latest version (specified by the tag config), respecting semver.

Additionally, see the documentation on Node.js and NPM installation and Upgrading NPM.

The following original answer is from the old FAQ that no longer exists, but should work for Linux and Mac:

How do I update npm?
npm install -g npm
Please note that this command will remove your current version of npm. Make sure to use sudo npm install -g npm if on a Mac.

You can also update all outdated local packages by doing npm update without any arguments, or global packages by doing npm update -g.

Occasionally, the version of npm will progress such that the current version cannot be properly installed with the version that you have installed already. (Consider, if there is ever a bug in the update command.) In those cases, you can do this:
curl https://www.npmjs.com/install.sh | sh

To update Node.js itself, I recommend you use nvm, the Node Version Manager.

Best Answer

Related Solutions

Javascript – How to send a cross-domain POST request via JavaScript

Node.js – How to update NodeJS and NPM to the next versions

How do I update npm?

Related Topic