Problems Accessing Crossdomain.xml

Similar Messages

• IOError in IE but not in Firefox (possible crossdomain.xml problem)

  Yesterday, I hopefully debugged a problem that is occuring for our application in IE but not in Firefox.
  It has to do with accessing remote content from a separate domain.
  In every aspect it APPEARS to be a crossdomain.xml issue but the fact that this issue only arrises in IE is what has prompted me to post here.
  We have a solution in the works (bureaucratically speaking) but I want to double check here.
  Our application is on domain "a.domain".
  It access an xml file on "b.domain/xml/".
  And finally (this is the tricky part) it also accesses an xml file at "b.domain/forwardingPath/" which is actually forwarded to "c.domain/xml/".
  The crossdomain.xml is located at "b.domain/crossdomain.xml".
  The request for "b.domain/xml/anXMLFile.xml" works without any problem.
  The request for "b.domain/forwardingPath/anotherXMLFile.xml" succeeds in Firefox but not in IE (remember, the ACTUAL request is forwarded to "c.domain/xml/anotherXMLFile.xml").
  In IE I get an IOError.
  I believe we need an appropriate crossdomain.xml file also located at "c.domain/crossdomain.xml" and have put in that request.  What I want to confirm is whether this understanding is correct.  I am not a server-side person at all.  It's all elves and fairies to me.  And then finally, why the hell is this behavior inconsistent between IE and Firefox?  Is the Firefox version of flash player violating its own security standards?!
  I am cross-posting this at stack overflow.  http://stackoverflow.com/questions/7395931/ioerror-in-ie-but-not-in-firefox-possible-cross domain-xml-problem

  I've pinged our developers about this and here's what they have to say:
  "We did some work for the plugin around redirects andhence the correct behavior on Firefox.
  AFAIK, on IE we don't get notified of the redirect and can't participate in making security decisions during redirect scenarios. This behavior is out of our control.
  There is a workaround documented in the AS3docs here: http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/system/LoaderCont ext.html#checkPolicyFile
  Here is the pertinent paragraph:
  Be careful with checkPolicyFile if you are downloading anobject from a URL that may use server-side HTTP redirects. Policy files arealways retrieved from the corresponding initial URL that you specify inURLRequest.url. If the final object comes from a different URL because of HTTPredirects, then the initially downloaded policy files might not be applicableto the object's final URL, which is the URL that matters in security decisions.If you find yourself in this situation, you can examine the value ofLoaderInfo.url after you have received a ProgressEvent.PROGRESS orEvent.COMPLETE event, which tells you the object's final URL. Then call theSecurity.loadPolicyFile() method with a policy file URL based on the object'sfinal URL. Then poll the value of LoaderInfo.childAllowsParent until it becomes true."
  Chris

• Security error accessing url with crossdomain.xml in InDesign FlexUI

  I'm evaluating Flex as a UI component in an InDesign script. Part of what it needs to do involves retrieving some data from a web server to be displayed in a datagrid. I've written a server running on localhost that will provide this data. Everything works fine when I run the component from Flash Builder or from the HTML wrapper page that is generated during the release build, but once I copy the .swf to the InDesign scripts folder and load it as part of a ScriptUI component, I get a fault response ("security error accessing url") when connecting to the server. I'm running this bit of code in from my Flex client:
  var h:HTTPService = new HTTPService();
  h.url = "http://localhost:8080/elements";
  h.method = "GET";
  h.addEventListener("result", getElementsResult);
  h.addEventListener("fault", getElementsFault);
  h.send();
  From what I've read, I may need a crossdomain.xml file at the root of my host, so I've added that to the server and can see that it is being accessed whenever the flex component attempts to connect to the service.
  My crossdomain.xml file is:
  <?xml version="1.0" ?>
  <!DOCTYPE cross-domain-policy SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd'>
  <cross-domain-policy>
      <allow-access-from domain="*"/>
  </cross-domain-policy>
  which seems to be correct, from what I understand. I've also tried quite a few other variations (setting explicit site-control policies, etc.). I'm quite new to Flex/Flash and I'm basically stuck at this point. Where might I be going wrong?

  I think sleeping on this one helped... I found that if I serve the .swf from my web server then everything works out fine. Loading it from the local filesystem seems to have been the problem.

• Security Error in accessing Web service from Flex.Where to put crossdomain.xml in axis container?

  Hi guys.
  Typically webservices are invoked across domains. Flash has defined certain policies which prevent crossdomain access. The only way to bypass this security feature is to put a crossdomain.xml file within the server root of the webservice provider i.e. in our case at http://abc.com. A sample example of crossdomain.xml is as below:
  <?xml version="1.0"?>
  <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
  <cross-domain-policy>
       <site-control permitted-cross-domain-policies="all" />
       <allow-access-from domain="*" secure="false"/>
       <allow-http-request-headers-from domain="*" headers="*" secure="false" />
  </cross-domain-policy>
  If the crossdomain.xml is not added the developer will get “Security Error accessing URL” type of messages.
  The above mentioned information should be enough for you to get your flex based WebService client up and running.
  We are using axis2 to build webservices. We deployed the webservices under axis2 container under repository/srvices folder . But in Flex when we try to call the webservices we were getting the exception saying security error in accessing url. The solution is we need to put the crossdomain.xml o that it is loaded at runtime and allow us to access. In tomcat if we put the file under ROOT directory we could accss the file and we were able to access the webservices deployed under Tomcat. But I googled for Axis2 container and couldnt find any solution.
  Please post the reply if anyone knows the solution to it.
  Thanks
  Raja

  Hi. So, I did take a quick look at the Axis2 standalone server and didn't see any way to server up a file such as crossdomain.xml. It seems like it might be a useful enhancement to have the ability to serve up files even if this functionality was very simple/limited and nothing like a full blown http server.
  I'd log an enhancement request against axis2 if this is something you'd like to have.
  http://issues.apache.org/jira/browse/AXIS2
  -Alex

• Please HELP with CrossDomain.xml problem

  I'm using Flex2 with Java as the backend. On my local machine
  everything works fine. When I deployed the Java war file to the
  hosting server and moved the swf there as well I keep getting the
  following error "Security error accessing url"
  faultCode="Channel.Security.Error". After reading on this it says I
  need a crossdomain.xml file put at the root of my server.
  I have placed a crossdomain.xml file at the following areas.
  C:\Inetpub\wwwroot\crossdomain.xml
  C:\Inetpub\vhosts\mysite.com\crossdomain.xml
  C:\Inetpub\vhosts\mysite.com\httpdocs\crossdomain.xml
  C:\Program
  Files\SWsoft\Plesk\Additional\Tomcat\webapps\crossdomain.xml
  the following is in the crossdomain.xml
  <?xml version="1.0"?>
  <!DOCTYPE cross-domain-policy SYSTEM "
  http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
  <cross-domain-policy>
  <allow-access-from domain="*" to-ports="*" secure="true"
  />
  </cross-domain-policy>
  the war file is deployed here:
  C:\Program
  Files\SWsoft\Plesk\Additional\Tomcat\psa-webapps\mysite.com\testjava.war
  and the swf file is located here:
  C:\Inetpub\vhosts\mysite.com\httpdocs\test.swf
  I don't know what I'm missing. Please someone help me.

  daperk,
  You should post this to board "Smartphones, Nseries and Eseries Devices".

• Help: Problems accessing XML file in WebSphere 3.5 Fix Pack 4 on Solaris

  We are having an emergent issue with WebSphere 3. 5 Fix Pack 4 on Solaris 2.6: The WAR file we deployed fails with runtime exception due to the inability
  to access a local resource(XML file) in the converted WAR file's web directory.
  The way we access this XML file is as follows:
  ServletContext theCon = getServletContext();
  URL u = theCon.getResource ("/web/test.xml");
  String newPath = u.toExternalForm ();
  InputStream is = new URL (newPath).openStream();
  The InputStream returned from the URL object is NULL.
  After checked the URL's externalForm string, we noticed that its protocol part is "classloader", e.g. the whole URL string is like "classloader:/opt/...../web/test.xml". However, if we replaced "classloader" with "file", the problem disappeared and the XML file can be read without error.
  Anybody know why "classloader:" in the URL string cause this problem, and what is the solution without changing the URL string?
  Thanks a lot!

  Hi,
  Can you try to replace the two last lines with:InputStream is = new FileInputStream (u.getFile());Hope this helps,
  Kurt.

• Crossdomain.xml issue - Accessing SAP from adobe FLEX

  Hi All,
  We are in the process of trying to integrate 4 SAP bapis exposed as Web services from adobe flex.
  When we do so we are getting a "security error accessing URL"
  The URL of our flex application is:
  http://10.10.0.48:8081/water0305/iden.html
  The WSDL of the web service is:
  http://10.10.0.66:8001/sap/bc/srt/rfc/sap/ZKK_BAPI_EQMT_DETAIL?sap-client=800&wsdl=1.1
  We looked at various forums and we found that adding a crossdomain.xml file to the root directory
  (at the destination server) will resolve the issue.
  I did implement all those steps on the R/3 side to add a crossdomain.xml to an ABAP WAS.
  crossdomain.xml on WAS
  however i still get those errors(security error accessing URL).
  Below is the code i use to access the SAP web service
  <mx:WebService
  id="EqmtDetailWS" showBusyCursor="true" fault="Alert.show(event.fault.faultString)" >
  <mx:operation name="EqmtDetail" resultFormat="e4x" result="getEquip_result(event);" fault="getFault(event);">
  <mx:request>
  <Equipment></Equipment>
  </mx:request>
  </mx:operation>
  </mx:WebService>
  We are  displaying the SAP info on a map service provided by esri so we included the load operation here.
  <-Loading the wsdl->
  private
  function onExtentChange(event:ExtentEvent):void {
  EqmtDetailWS.wsdl=
  "http://10.10.0.66:8001/sap/bc/srt/rfc/sap/ZKK_BAPI_EQMT_DETAIL?sap-client=800&wsdl=1.1&sap-user=******&sap-password=****&sap-language=EN&~transaction=iw51";
  EqmtDetailWS.loadWSDL();
  <Displaying the info from SAP>
  private function getEquip_result(event:ResultEvent):void {
  equip_desc = event.result.Equitext.Equidescr;
  txtAreaEquipDetail.htmlText = txtAreaEquipDetail.htmlText + "Equi. Desc. : " + event.result.Equitext.Equidescr + "\n";
  var material:String=event.result.Equimaster.Material;
  SAPIDAliasEquipDesc =event.result.Equitext.Equidescr;
  material=material.substring(14,18);
  txtAreaEquipDetail.htmlText = txtAreaEquipDetail.htmlText + "Material : " + material + "\n";
  txtAreaEquipDetail.htmlText = txtAreaEquipDetail.htmlText + "Serial No : " + event.result.Equimaster.Serialno + "\n";
  var costcntr:String=event.result.Equilocation.Costcenter;
  costcntr=costcntr.substring(7,10);
  txtAreaEquipDetail.htmlText = txtAreaEquipDetail.htmlText + "Cost Center : " + costcntr + "\n";
  CustomerID = event.result.Equisales.Customer;
  This is how we load the policy file.
  Security.loadPolicyFile(
  http://10.10.0.66:8001/sap/bc/bsp/sap/zroot/crossdomain.xml);
  This works fine when we run it from the IDE but throws up an error when we deploy it on the server
  So are we missing something ?
  Is there anything else to be done to overcome the security issue ?
  Thanks in advance.
  Regards,
  Karthik.

  Hi Rich,
  I followed the steps in your video when our system was R/3 4.7 (WAS 6.20) and the test worked fine, i.e. accessing the crossdomain by typing http://server:port/crossdomain.xml.
  I followed the same steps with our new version (we're undergoing an upgrade) but I kept getting the error message:
  "BSP Exception: the BSP URL /crossdomain.xml Does Not Contain Any Application Entries".  Then I saw Ivan post suggesting implementing OSS Note 1260386.  I applied the Note but I got the same error message. 
  Then I ran function ICFBUFFER_INIT to make sure the buffer is cleared, cleared the cache in the browser and still got the same error message.
  Our system is ERP 6.0, NetWeaver 7.0, level 17 (BASIS Component is SAPKB70017).
  Please help.  Thank you.
  Achille.

• Multiple plugtmp-1 plugtmp-2 etc. in local\temp folder stay , crossdomain.xml and other files containing visited websitenames created while private browsing

  OS = Windows 7
  When I visit a site like youtube whith private browsing enabled and with the add-on named "shockwave flash" in firefox add-on list installed and activate the flashplayer by going to a video the following files are created in the folder C:\Users\MyUserName\AppData\Local\Temp\plugtmp-1
  plugin-crossdomain.xml
  plugin-strings-nl_NL-vflLqJ7vu.xlb
  The contents of plugin-crossdomain contain both the "youtube.com" adress as "s.ytimg.com" and is as follows:
  <?xml version="1.0"?>
  <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
  -<cross-domain-policy> <allow-access-from domain="s.ytimg.com"/> <allow-access-from domain="*.youtube.com"/> </cross-domain-policy>
  The contents of the other file I will spare you cause I think those are less common when I visit other sites but I certainly don't trust the file. The crossdomain.xml I see when I visit most other flashpayer sites as well.
  I've also noticed multiple plugin-crossdomain-1.xml and onwards in numbers, I just clicked a youtube video to test, got 6 of them in my temp plus a file named "plugin-read2" (no more NL file cause I changed my country, don't know how youtube knows where I'm from, but that's another subject, don't like that either). I just noticed one with a different code:
  <?xml version="1.0"?>
  -<cross-domain-policy> <allow-access-from domain="*"/> </cross-domain-policy>
  So I guess this one comprimises my browsing history a bit less since it doesn't contain a webadress. If these files are even meant to be deposited in my local\temp folder. The bigger problem occurs when they stay there even after using private browsing, after clearing history, after clearing internet temporary files, cache, whatever you can think of. Which they do in my case, got more than 50 plugtmp-# folders in the previous mentioned local\temp folder containing all website names I visited in the last months. There are a variety of files in them, mostly ASP and XML, some just say file. I have yet to witness such a duplicate folder creation since I started checking my temp (perhaps when firefox crashes? I'd say I've had about 50 crashes in recent months).
  I started checking my temp because of the following Microsoft Security Essential warnings I received on 23-4-12:
  Exploit:Java/CVE-2010-0840.HE
  containerfile:C:\Users\Username\AppData\Local\Temp\jar_cache2196625541034777730.tmp
  file:C:\Users\Username\AppData\Local\Temp\jar_cache2196625541034777730.tmp->pong/reversi.class
  and...
  Exploit:Java/CVE-2008-5353.ZT
  containerfile:C:\Users\Noname\AppData\Local\Temp\jar_cache1028270176376464057.tmp
  file:C:\Users\Noname\AppData\Local\Temp\jar_cache1028270176376464057.tmp->Testability.class
  Microsoft Security Essentials informed me that these files were quarantained and deleted but when going to my temp file they were still there, I deleted them manually and began the great quest of finding out what the multiple gigabytes of other files and folders were doing in that temp folder and not being deleted with the usual clearing options within firefox (and IE).
  Note that I have set my adobe flasplayer settings to the most private intense I could think of while doing these tests (don't allow data storage for all websites, disable peer-to peer stuff, don't remember exactly anymore, etc.). I found it highly suspicious that i needed to change these settings online on an adobe website, is that correct? When right-clicking a video only limited privacy options are available which is why I tried the website thing.
  After the inital discovery of the java exploit (which was discovered by MSE shortly after I installed and started my first scan with Malwarebytes, which in turn made me suspicious whether I had even downloaded the right malwarebytes, but no indication in the filename if I google it). Malwarebytes found nothing, MSE found nothing after it said it removed the files, yet it didn't remove them, manually scanning these jar_cache files with both malwarevytes and MSE resulted in nothing. Just to be sure, I deleted them anyways like I said earlier. No new jar_cache files have been created, no exploits detected since then. CCleaner has cleaned most of my temp folder, I did the rest, am blocking all cookies (except for now shortly), noscript add-on has been running a while on my firefox (V 3.6.26) to block most javascripts except from sites like youtube. I've had almost the same problem using similar manual solutions a couple of months ago, and a couple of months before that (clearing all the multiple tmp folders, removing or renaming jar_cache manually, running various antmalware software, full scan not finding a thing afterwards, installing extra add-ons to increase my security, this time it's BetterPrivacy which I found through a mozilla firefox https connection, I hope, which showed me nicely how adobe flash was still storing LSO's even after setting all storage settings to 0 kb and such on the adobe website, enabling private browsing in firefox crushed those little trolls, but still plugtmp trolls are being created, help me crush them please, they confuse me when I'm looking for a real threat but I still want to use flash, IE doesn't need those folders and files, or does it store them somewhere else?).
  I'm sorry for the long story and many questions, hope it doesn't scare you away from helping me fight this. I suspect it's people wanting to belong to the hackergroup Anonymous who are doing this to my system and repeating their tricks (or the virus is still there, but I've done many antivirus scans with different programs so no need to suggest that option to me, they don't find it or I run into it after a while again, so far, have not seen jar_cache show up). Obviously, you may focus on the questions pertaining firefox and plugtmp folders, but if you can help me with any information regarding those exploits I would be extremely grateful, I've read alot but there isn't much specific information for checking where it comes from when all the anti-virus scanners don't detect anything anymore and don't block it incoming. I also have downloaded and installed process monitor but it crashes when I try to run it. The first time I tried to run it it lasted the longest, now it crashes after a few seconds, I just saw the number of events run up to almost a million and lots of cpu usage. When it crashed everything returned back to normal, or at least that's what I'm supposed to think I guess. I'll follow up on that one on their forum, but you can tell me if the program is ligit or not (it has a microsoft digital signature, or the name micosoft is used in that signature).

  update:
  I haven't upgraded my firefox yet because of a "TVU Web Player" plugin that isn't supported in the new firefox and I'm using it occasionally, couldn't find an upgrade for it. Most of my other plugins are upgraded in the green (according to mozilla websitechecker):
  Java(TM) Platform SE 6 U31 (green)
  Shockwave for Director (green - from Adobe I think)
  Shockwave Flash (green - why do I even need 2 of these adobe add-ons? can I remove one? I removed everything else i could find except the reader i think, I found AdobeARM and Adobe Acrobat several versions, very confusing with names constantly switching around)
  Java Deployment Toolkit 6.0.310.5 (green, grrr, again a second java, why do they do this stuff, to annoy people who are plagued with java and flash exploits? make it more complicating?)
  Adobe Acrobat (green, great, it's still there, well I guess this is the reader then)
  TVU Web Player for FireFox (grey - mentioned it already)
  Silverlight Plug-In (yellow - hardly use it, I think, unless it's automatic without my knowing, perhaps I watched one stream with it once, I'd like to remove it, but just in case I need it, don't remember why I didn't update, perhaps a conflict, perhaps because I don't use it, or it didn't report a threat like java and doesn't create unwantend and history compromising temp files)
  Google Update (grey - can I remove? what will i lose? don't remember installing it, and if I didn't, why didn't firefox block it?)
  Veetle TV Core (grey)
  Veetle TV Player (grey - using this for watching streams on veetle.com, probably needs the Core, deleted the broadcaster that was there earlier, never chose to install that, can't firefox regulate that when installing different components? or did i just miss that option and assumed I needed when I was installing veetle add-on?)
  Well, that's the list i get when checking on your site, when i use my own browseroptions to check add-ons I get a slightly different and longer list including a few I have already turned off (which also doesn't seem very secure to me, what's the point in using your site then for anything other than updates?), here are the differences in MY list:
  I can see 2 versions of Java(TM) Platform SE 6 U31, (thanks firefox for not being able to copy-paste this)
  one "Classic Java plug-in for Netscape and Mozilla"
  the other is "next generation plug-in for Mozilla browsers".
  I think I'll just turn off the Netscape and Mozilla one, don't trust it, why would I need 2? There I did it, no crashes, screw java :P
  There's also a Mozilla Default plugin listed there, why does firefox list it there without any further information whether I need it or not or whether it really originates from Mozilla firefox? It doesn't even show up when I use your website plugin checker, so is there no easy way by watching this list for me to determin I can skip worrying about it?
  There's also some old ones that I recently deactivated still listed like windows live photo gallery, never remember adding that one either or needing it for anything and as usual, right-clicking and "visit homepage" is greyed out, just as it is for the many java crap add-ons I encountered so far.
  Doing a quick check, the only homepage I can visit is the veetle one. The rest are greyed out. I also have several "Java Console" in my extentions tab, I deactivated all but the one with the highest number. Still no Java Console visible though, even after going to start/search "java", clicking java file and changing the settings there to "show" console instead of "hide" (can't remember exact details).
  There's some other extentions from noscript, TVU webplayer again, ADblock Plus and now also BetterPrivacy (sidenote, a default.LSO remains after cleanup correct? How do I know that one isn't doing anything nasty if it's code has been changed or is being changed? To prevent other LSO's I need to use both private browsing and change all kinds of restrictions online for adobe flashplayer, can anyone say absurd!!! if you think you're infected and want to improve your security? Sorry that rant was against Adobe, but it's really against Anonymous, no offense).

• Problem loading external XML

  Hi, I"m having a problem with an Applet.
  I wrote a program that acceses an external XML file located on my webspace, but when I converted this program to run in a webbrowser I get console errors when trying to acces the file.
  Here's my code:
  package javaapplication;
  import java.applet.Applet;
  import java.awt.BorderLayout;
  import java.awt.Canvas;
  import java.util.ArrayList;
  import javaapplication7.parsing.XmlParser;
  public class Main extends Applet {  
      protected Thread gameThread = null;
      private Canvas display_parent = null;
      private boolean running = false;
      private XmlParser parser = new XmlParser();
      public void destroy() {
          remove(display_parent);
          super.destroy();
          System.out.println("Clear Up");
      public void start() {
          gameThread = new Thread() {
              public void run() {
                  running = true;
                  System.out.println("Entering Gameloop");
                  gameLoop();
          gameThread.setDaemon(true);
          gameThread.start();
      public void stop() {
      public void init() {
          setLayout(new BorderLayout());
          try {
              display_parent = new Canvas() {
                  public final void removeNotify() {
                      super.removeNotify();
              display_parent.setIgnoreRepaint(true);
              display_parent.setSize(getWidth(),getHeight());
              add(display_parent);
              display_parent.setFocusable(true);
              display_parent.requestFocus();
              setVisible(true);
          catch(Exception e) {
              System.err.println(e);
              throw new RuntimeException("Unable to create display");
      private void gameLoop() {
          ArrayList <String> temp = null;
          while (running) {    
              temp = parser.SearchXml("http://users.telenet.be/decoy/FacebookApp/xml/BulletType.xml", "BulletList",2);
              for (int i=0;i<temp.size();++i) {
                  System.out.println(temp.get(i));
  }my html file :
  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
  <html>
    <head>
      <title>AppletLoader</title>
    </head>
    <body>
    <applet code="javaaplication.Main" archive="JavaApplication7.jar" codebase="." width="800px" height="600px">
      <!-- The following tags are mandatory -->
      <!-- Name of Applet, will be used as name of directory it is saved in, and will uniquely identify it in cache -->
      <param name="al_title" value="appletloadertest">
      <!-- Main Applet Class -->
      <param name="al_main" value="javaapplication.Main">
      <!-- logo to paint while loading, will be centered -->
      <param name="al_logo" value="appletlogo.png">
      <!-- progressbar to paint while loading. Will be painted on top of logo, width clipped to percentage done -->
      <param name="al_progressbar" value="appletprogress.gif">
      <!-- List of Jars to add to classpath -->
      <param name="al_jars" value="JavaApplication7.jar">
      <!-- signed windows natives jar in a jar -->
      <param name="al_windows" value="lib/windows_natives.jar.lzma">
      <!-- signed linux natives jar in a jar -->
      <param name="al_linux" value="lib/linux_natives.jar.lzma">
      <!-- signed mac osx natives jar in a jar -->
      <param name="al_mac" value="lib/macosx_natives.jar.lzma">
      <!-- signed solaris natives jar in a jar -->
      <param name="al_solaris" value="lib/solaris_natives.jar.lzma">
      <!-- Tags under here are optional -->
      <!-- Version of Applet, important otherwise applet won't be cached, version change will update applet, must be int or float -->
      <!-- <param name="al_version" value="0.1"> -->
      <!-- background color to paint with, defaults to white -->
      <!-- <param name="al_bgcolor" value="000000"> -->
      <!-- foreground color to paint with, defaults to black -->
      <!-- <param name="al_fgcolor" value="ffffff"> -->
      <!-- error color to paint with, defaults to red -->
      <!-- <param name="al_errorcolor" value="ff0000"> -->
      <!-- whether to run in debug mode -->
      <!-- <param name="al_debug" value="true"> -->
      <!-- whether to prepend host to cache path - defaults to true -->
      <param name="al_prepend_host" value="false">
      <!-- main applet specific params -->
      <param name="test" value="test">
    </applet>
    <p>
      if <code>al_debug</code> is true the applet will load and extract resources with a delay, to be able to see the loader process.
    </p>
    </body>
  </html>console errors :
  network: Connecting http://users.telenet.be/decoy/FacebookApp/xml/BulletType.xml with proxy=DIRECT
  network: Connecting http://users.telenet.be/crossdomain.xml with proxy=DIRECT
  network: Connecting http://users.telenet.be:80/ with proxy=DIRECT
  network: Connecting http://users.telenet.be/crossdomain.xml with cookie "__utmz=226366239.1223468593.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); st8id_wlf_%2Etelenet%2Ebe_%2F=TE5HVExNX0ZMQVNI?81c37b0684bbf41f4c42c63db814f879; __utma=226366239.605535372.1223468593.1223556298.1224764225.3"
  network: Connecting http://www.zita.be/users_error/ with proxy=DIRECT
  network: Connecting http://www.zita.be:80/ with proxy=DIRECT
  java.security.PrivilegedActionException: java.io.FileNotFoundException: http://www.zita.be/users_error/
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sun.deploy.net.CrossDomainXML.check(Unknown Source)
       at com.sun.deploy.net.CrossDomainXML.check(Unknown Source)
       at sun.plugin2.applet.Applet2SecurityManager.checkConnect(Unknown Source)
       at sun.net.www.http.HttpClient.openServer(Unknown Source)
       at sun.net.www.http.HttpClient.<init>(Unknown Source)
       at sun.net.www.http.HttpClient.New(Unknown Source)
       at sun.net.www.http.HttpClient.New(Unknown Source)
       at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(Unknown Source)
       at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
       at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source)
       at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
       at java.net.URL.openStream(Unknown Source)
       at facebookgame.parsing.XmlParser.SearchXml(XmlParser.java:38)
       at facebookgame.entity.ShotEntity.<init>(ShotEntity.java:62)
       at facebookgame.InGameState.Enter(InGameState.java:75)
       at facebookgame.FacebookApp.changeToState(FacebookApp.java:258)
       at facebookgame.MenuState.CheckPlayerInput(MenuState.java:106)
       at facebookgame.MenuState.StateCycle(MenuState.java:139)
       at facebookgame.FacebookApp.gameLoop(FacebookApp.java:212)
       at facebookgame.FacebookApp.access$200(FacebookApp.java:17)
       at facebookgame.FacebookApp$1.run(FacebookApp.java:60)
  Caused by: java.io.FileNotFoundException: http://www.zita.be/users_error/
       at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
       at com.sun.deploy.net.CrossDomainXML$2.run(Unknown Source)
       ... 22 moreHopefully some1 can help me :).
  Edited by: Veko on Dec 7, 2008 2:51 PM

  But why is it possible then to succesfully acces the .xml file with a non-web applet
  This code reads the file perfectly of my webspace...
  import java.io.InputStream;
  import java.io.OutputStream;
  import java.net.URL;
  public class XMLHandler {
       public static void SearchXml(){
          try{
              InputStream filesource = new URL("http://users.telenet.be/decoy/FacebookApp/xml/BulletType.xml").openStream();
              System.out.println("found input source");
              byte[] readIn = new byte[8];
              int bytesRead = filesource.read(readIn);
              OutputStream stream = System.out;
              while(bytesRead != -1){
                   stream.write(readIn);
                   bytesRead = filesource.read(readIn);
          } catch (Exception e){
              e.printStackTrace();
       public static void main(String[] args){
            SearchXml();
  }it returns the contents of the xml perfectly
  <?xml version="1.0"?>
  <bulletList>
  <bullet type="1">
       <speed>1.0f</speed>
       <size>O.65f</size>
       <damage>1</damage>
       <texture>"res/shot.png"</texture>
       <sound>"blah.ogg"</sound>
  </bullet>
  <bullet type="2">
       <speed>1.5f</speed>
       <size>O.65f</size>
       <damage>1</damage>
       <texture>"res/shot.png"</texture>
       <sound>"blah.ogg"</sound>
  </bullet>
  </bulletList>Does a applet in a browser have somekind of weird restriction that I haven't heard of yet ?
  Edited by: Veko on Dec 8, 2008 2:28 AM
  Edited by: Veko on Dec 8, 2008 2:29 AM
  Edited by: Veko on Dec 8, 2008 2:29 AM

• Apache proxypass and crossdomain.xml not working

  Hi everyone,
  I have the following problem. I have set up jboss on a Linux server connecting to local port 8080 (localhost:8080).
  I have opened the application on port 80 with Apache ( www.myDomain.com) and set up a virtual host that proxies
  this connection to localhost:8080 where jboss is listening.
  <VirtualHost *:80>
      DocumentRoot /var/www/nyDomain
      ServerName myDomain.com
      Alias /crossdomain.xml /var/www/html/crossdomain.xml
      # proxy pass to the jboss server
      <IfModule mod_proxy.c>
      ProxyRequests Off
      <Proxy *>
          Order deny,allow
          Deny from all
          Allow from all
      </Proxy>
      ProxyPass /Stylect http://127.0.0.1:8081/Stylect
      ProxyPassReverse /Stylect http://127.0.0.1:8081/Stylect
      # ProxyPreserveHost on
      </IfModule>
  </VirtualHost>
  The crossdomain.xml file is at the root of the server and can be accessed with www.mydomain.com/crossdomain.xml
  <cross-domain-policy>
  <site-control permitted-cross-domain-policies="master-only"/>
  <allow-access-from domain="*" to-ports="*" secure="false"/>
  <allow-http-request-headers-from domain="*" headers="*"/>
  </cross-domain-policy>
  I can see in firebug that it's being downloaded when I first request the page - this is the response:
  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
     "http://www.w3.org/TR/html4/strict.dtd">
  <html>
  <head>
    <title>Software as a Service Development. </title>
    <META name="description" content="Description here"><META name="keywords" content="Saas, fashion design, plm, production, nutrition, food, orders">
  </head>
  <frameset rows="100%,*" border="0">
    <frame src="http://xxx.xxx.xxx.xx/crossdomain.xml" frameborder="0" />
    <frame frameborder="0" noresize />
  </frameset>
  <!-- pageok -->
  <!-- 04 -->
  <!-- -->
  </html>
  Yet I still get a 2048 sandbox violation error.
  The crossdomain is needed because the proxied request
  appears to be coming from the public ip while jboss
  is bound to the local host.
  If I expose Jboss directly to the web all works well but there
  are too many security issues in that setup. Apache as a front is
  much better.
  The question is: is this the correct response I should be getting
  (or should it be directly the xml file) and why is it not working?
  How can I fix this?
  Any help much appreciated. I'm stuck.
  Dahn 

  Try adding security="false" inside the next line:
  <allow-access-from domain="*"/>
  so it would look something like
  <allow-access-from domain="*" security="false" />
  It fixed the problem for me.

• Crossdomain.xml Not Working

  Ok, so first off, my environment. I'm working on a flash
  application that resides on the web server (192.168.1.74) and the
  data its pulling is from a device (192.168.1.77).
  On .77 I have a crossdomain.xml. I have attached the
  crossdomain.xml file.
  The problem I'm having is that while watching the data
  communication in a network sniffer, after the GET for
  /crossdomain.xml happens, about 75% of the time, nothing gets
  returned. When the XML file DOES get returned, there's a HTTP OK
  message... and then that's it. None of the communication between
  the app and the server happens.
  Now, when I run this application in the Flash developer
  program thing, it works fine (I'm on .64) so I know the flash code
  works. So its either a Browser issue or my crossdomain.xml file is
  wrong in some way.

  Try adding security="false" inside the next line:
  <allow-access-from domain="*"/>
  so it would look something like
  <allow-access-from domain="*" security="false" />
  It fixed the problem for me.

• Ye Olde crossdomain.xml

  An App I was working on just went into production on
  Saturday. We have this setup: A weblogic application server (Server
  A) running on Machine A (a solaris OS). We have a separate weblogic
  server located on Machine B.
  Machine A's weblogic hosts the web application and one of the
  pages has a Flex app built in Flex Builder 2.0. This app accesses a
  webservice located on Machine B. In our system test environment
  this worked fine. It also works fine running it with the Run button
  in Flex Builder. When it was deployed to production this weekend, I
  get this error: Unable to load WSDL. If currently online, please
  verify the URL and/or format of the WSDL. I figure it is something
  wrong with crossdomain.xml. I have tried everything.
  Machine A: Port 7001 (crossdomain.xml accessible at
  machinea:7001/crossdomain.xml).
  Machine B: port 4444 (crossdomain.xml accessible at
  machineb:4444/crossdomain.xml).
  I've also tried to load it with Security.loadPolicyFile(url).
  None of this has worked and it always returns the same error. I'd
  really like to get this resolved, as like I said it worked in our
  test environment but is broken in production.

  Just to cover the basics, can you:
  1) test using a wide open cross-domain.xml on machineb?
  <allow-access-from domain="*" />
  2) confirm the URL of the service port at the bottom of the
  wsdl?
  The service port defines where the actual webservice can be
  found and may or may not be on the same server that hosts the wsdl.
  One problem might be that in testing the service port was using a
  canonical domain name that only resolvable on a private intranet,
  and breaks on public facing servers.
  3) run a packet sniffer on the client where Flash Player is
  running and trace connections from the client to machineb ?
  a) you should see an HTTP request / response for
  crossdomain.xml on machineb over port 4444
  b) you should see an HTTP request / response for the wsdl on
  machineb over port 4444
  c) you should see the HTTP req as a POST to the service port
  URL that sends the SOAP Request embedded in the SOAP envelope.
  d) you should see the HTTP response from the service port
  URL with the SOAP response inside a SOAP envelope
  4) Run the Eclipse WTP WebService Explorer from the same
  machine as the client with Flash Player. Type in the WSDL URL into
  the designated field, and Eclipse WTP will parse the wsdl and
  provide a form to permit you to enter data to properly fulfill the
  SOAP Request.
  Eclipse WTP is a great reference tool for testing webservices
  and can be used for troubleshooting by comparison.
  Please let me know how it goes.

• Why crossdomain.xml

  sorry i don't get it:
  why should having a crossdomain.xml policy file on the server
  that i load data from add any security?
  if i'd operate a malicous site i'd just put the
  crossdomain.xml on my site.
  it does not seem logic to me that any server can decide if it
  is secure that a flash app can load data from it.
  it would seem more reasonable that the flex/flash app itself
  decides where it is safe to load data from.
  i don't understand the security underlying this concept.
  what am i missing here?
  thanks,
  maxflex

  Thanks for sharing that URL. I think this is the section that applies to my XSS issue:
  If you imagine that the "public server" is instead a "hacker's server," and that instead of pushing out nice public content he's sharing harmful links to malware, etc., then I think you see the problem
  "A public server that allows data access from any domain
  Some sites are intended to be accessed by anyone. They contain publicly available data, such as news feeds and web services.
  The Flash Player, and web browsers, generally disallow access to data outside the current domain. Because of this, a common practice is to deploy a proxy script on the server that hosts the Flash movie, which then requests data server-side before returning it to the movie.
  This is a standard practice, but it requires the creator of the Flash movie create server-side logic just to access public data. If the public server has a policy file, all Flash movies can access its data without any additional server scripts.
  A policy file that permits all domains to access it uses a wild card instead of specifying individual domains.
  <?xml version="1.0"?>
           <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
           <cross-domain-policy>
           <allow-access-from domain="*" />
           </cross-domain-policy> "

• Crossdomain.xml just not working

  Hello,
  I am having problems moving my application from my Local
  Machine to a DEV/TEST server for testing. My app uses C# Web
  Services for data access and is a Flex front end.
  Here is the error I get (only on the DEV/TEST server):
  A Fault occured contacting the server.
  Fault Message is: HTTP request error
  Faul Code is: Server.Error.Request
  Fault Detail is: Error: [IOErrorEvent type="ioError"
  bubbles=false cancelable=false eventPhase=2 text="Error #2032:
  Stream Error. URL:
  http://DOMAIN/APPLICATION/WebService.asmx"
  URL: WebService.asmx
  The same exact configuration works on my local machine. I
  have a crossdomain.xml file in place that looks like this:
  <?xml version="1.0" ?>
  <!DOCTYPE cross-domain-policy (View Source for full
  doctype...)>
  - <cross-domain-policy>
  <site-control permitted-cross-domain-policies="all" />
  <allow-access-from domain="*" secure="fase" />
  <allow-http-request-headers-from domain="*" headers="*"
  secure="fase" />
  </cross-domain-policy>
  However, I wouldn't think that the crossdomain is actually
  necessary because the application exists on the same domain and
  directory as the webServices. But, I added one anyway because every
  google lookup seems to say that the HTTP Request Error -
  Server.Error.Request is a crossdomain.xml problem.
  I was kind of thinking it could be a permission error.
  However, I have the web page run as an 'application' and that
  application's user account has permissions to the root directory
  and all it's children files/directories (so it can read the
  crossdomain.xml) and also the application idenity has access to run
  all the selects.
  Unfortunately I'm running this on IIS6 on the DEV/TEST
  machine and IIS7 on my local machine. So, I'm unable to setup
  failed request tracing to see if I can find the problem there.
  Does anybody have any help they can share? I've spent the
  complete day trying everything I can think of to get it to work
  with no resolve.
  Any help would be greatly appreciated!
  Thanks!!
  -Mike

  Turns out that the problem was that the Application Pool
  Identity didn't have access to the SQL DBs to do CRUD. I guess you
  should never be too sure of things. -=o/

• SWF Jitters on drupal site - crossdomain.xml

  I've been working on a mapping application for a client.  The swf I've created references a xml that provides names for mc's and listeners.  The xml also has info that populates text boxes when clicked on.
  I'd been hosting the working version of this swf on our website (drupal based) where I worked on changes and tested it.  It worked fine in this location and still is functioning well
  http://wildlands.org/node/683
  When I sent a copy for my clients to post on their website, we ran into a few problems.  First, there was a crossdomain issue and we had to create a crossdomain.xml and place it in their site's root.  Once we did this, the app worked but became jittery (a problem i cannot replicate on my site).  The client is using the same version of drupal and the same flashnode module.
  http://www.gallatinwrp.org/content/testflash
  Does anyone know where I could start to begin troubleshooting this?  It's strange that this does not occur on my site.  I also never had to create a crossdomain.xml and place it in our site's root.
  thanks in advance,
  j

  the easiest way to avoid cross-domain issues, is to use a local executable (like a php file) and have that executable load your cross-domain assets and pass them to your local swf.
  otherwise, you must correct your crossdomain.xml file.  to start, you need a cross-domain meta policy file that is in the host server's root directory.  if you don't have access to the root directory, you don't control that server and you are not allowed to place policy files on it.  (see above solution.)