I recently deployed a Flash application to a server, and am now experiencing errors when making HTTPService requests. I have put what I believe to be the most permissive crossdomain.xml possible in the wwwroot folder, and still get the errors.
Interestingly enough, the error only seems to occur when the request is made from a direct user interaction (i.e. button click). The application makes other requests that are initiated by other means(i.e creationComplete) , and they seem to work as expected.
Anyone see anything wrong with the crossdomain.xml, or have any other suggestions?
ERROR MESSAGE
[RPC Fault faultString="Security error accessing url" faultCode="Channel.Security.Error" faultDetail="Destination: DefaultHTTP"]
at mx.rpc::AbstractInvoker/http://www.adobe.com/2006/flex/mx/internal::faultHandler()
at mx.rpc::Responder/fault()
at mx.rpc::AsyncRequest/fault()
at DirectHTTPMessageResponder/securityErrorHandler()
at flash.events::EventDispatcher/dispatchEventFunction()
at flash.events::EventDispatcher/dispatchEvent()
at flash.net::URLLoader/redirectEvent()
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all" />
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>
Best Answer
You need to be careful with those crossdomain policy files because they can open up some serious security holes. You should never use a * policy on a site that uses cookie or basic auth and you should never put a * policy on an intranet server.
The easiest way to avoid those security problems and make things work is to make sure that the URL the SWF is loaded from and the URL the requests are being made to is the same protocol, hostname, and port (if specified). If they are different then you should look into using a proxy so that they are the same. BlazeDS or Apache ban easily be setup as a proxy.