secure web socket connection through flex generates a Security sandbox violation

Question

I'm trying to connect to a secure web socket (wss://) using flex, and i'm getting a Security sandbox viloation error.

the full error message is the following:

*** Security Sandbox Violation ***
Connection to foo.bar:8443 halted - not permitted from https://foo.bar:8443/foo/foo-html/Main.swf
Security Error: [SecurityErrorEvent type="securityError" bubbles=false cancelable=false eventPhase=2 text="Error #2048: Security sandbox violation: https://foo.bar.com:8443/foo/foo-html/Main.swf cannot load data from come2play.xpogames.com:8443."]

Connection Failure: Error #2048: Security sandbox violation: https://foo.bar.com:8443/foo/bar-html/Main.swf cannot load data from foo.bar.com:8443. Websocket closed.

The browser that i'm trying to use is FireFox 20.0.1.

I created a javascript client that connects to that same address using wss:// protocol on port 8443 and it connected just fine.

I included a crossdomain.xml file in under ROOT directory of my tomcat so the flex application will be able to load it. the content of the crossdomain.xml file is as follows:

<?xml version="1.0"?>
<cross-domain-policy>
    <allow-access-from domain="*" secure="false" />
        <allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

I checked with firebug and noticed that the crossdomain.xml file was loaded properly.

I tried to specify manually the location of the crossdomain.xml file using

flash.system.Security.loadPolicyFile("{Url to my crossdomain.xml file on the SSL virtual root}"); 

but I got the same results.

i also tried different configuration variations in this crossdomain.xml. for example secure="yes" , i tried to specify the ports used, but nothing worked, i always got the security sandbox violation.

I know that mms.cfg file may have DisableSockets = 1 directive turned on but I do not have such a file in my system. I'm on a Linux Gentoo.

the funny thing is that my system is on the same domain and the same port that my websockets are!

it's actually a facebook application that sit's on apps.facebook.com/foo for example.. and that canvas page is for example foo.bar.com:8443

and then the secure web socket address is also wss://foo.bar.com:8443! so i don't really understand why I need to deal with cross domain in the first place!

any information regarding the issue would be greatly appreciated!

thank you

Answer 1

I installed http://code.google.com/p/flashpolicyd/

It opens a server on port 843 that actually servers a poilcy file per request. you have a policy file there that accepts every host and every port, you need to modify it according to your needs.

then you need in the flex code to point the policy file to that address using xmlsocket:// protocol.

    Security.loadPolicyFile("xmlsocket://hostname:843");

that's it!