Sandbox Violation: AIR + contentLoader'd SWFs versus UI components?!

Similar Messages

• Error #2048: Security sandbox violation

  I've been developing Flex apps for a couple of years now and feel comfortable with my development environment.
  I'm testing out Gumbo in my same environment (new workspace): WAMP based
  My test app works fine on my localhost set up... but when I upload the files to my hosted domain server... I get Error #2048: Security sandbox violation.
  Specifically:
  - I'm invoking an HTTPService by setting the url to a relative path (folder/file in same dir as the swf)
  - I set method to POST and useProxy to false
  (<fx:Declarations>
          <s:HTTPService id="contentService" url="data/verd_content.xml" method="POST" useProxy="false" resultFormat="e4x" />
      </fx:Declarations>)
  - I wrapped the send call in a try / catch block and show an Alert with the error message in the catch... here's what it says
  body = (null)
    clientId = "DirectHTTPChannel0"
    correlationId = "F4B9A542-8B00-5CDB-3C36-1316919FC255"
    destination = ""
    extendedData = (null)
    faultCode = "Channel.Security.Error"
    faultDetail = "Destination: DefaultHTTP"
    faultString = "Security error accessing url"
    headers = (Object)#1
      DSStatusCode = 0
    messageId = "E629F555-EF8B-E535-7CE4-13169662A82A"
    rootCause = (flash.events::SecurityErrorEvent)#2
      bubbles = false
      cancelable = false
      currentTarget = (flash.net::URLLoader)#3
        bytesLoaded = 0
        bytesTotal = 0
        data = (null)
        dataFormat = "text"
      eventPhase = 2
      target = (flash.net::URLLoader)#3
      text = "Error #2048: Security sandbox violation: http://****.com/Main.swf cannot load data from http://localhost:***/data/verd_content.xml?hostport=***t.com&https=N&id=F4B9A542-8B00-5CDB -3C36-1316919FC255."
      type = "securityError"
    timestamp = 0
    timeToLive = 0
  *NOTE: I obfuscated parts of the url for security reasons
  I read the other similar posts here about problems like this when using the PHP / Zend set up... but I checked the .actionScriptProperties file and it does not have any URLs in there (like localhost:port#)
  I'm not using a service-config.xml file in this project... but I have set up WebORB for PHP servers and use that all the time... so I know how that works...
  Is this a bug or am I missing something new in the Gumbo ?
  Again: my swf file is in a folder in the webroot on my ISP
  also inside that folder is another folder with an XML file in it
  I'm setting an HTTPService call using the url parameter on a POST with a relative file path (folder/filename.xml)
  changing the url to an absolute makes no difference...
  thanks in advance for any help

  Sure...
  here's the code that contains both the HTTPService setup and the URLLoader setup... like i said in the original post.. the HTTPService call throws the error described, whereas the URLLoader call does not:
  private var loader : URLLoader = new URLLoader();
  private var req : URLRequest = new URLRequest("data/***dant_content.xml");//path obfuscated
  protected function Application_creationComplete():void
      // This works...
      loader.addEventListener( Event.COMPLETE, parseContent );
      loader.addEventListener( IOErrorEvent.IO_ERROR, contentFault );
      // This does not...
      /* contentService.addEventListener( ResultEvent.RESULT, parseContent );
          contentService.addEventListener(FaultEvent.FAULT, contentFault ); */
      try
          loader.load( req );
      catch (err:Error)
          Alert.show("In Try Catch Error Block: " + err.message);
          currentState='home';
  the HTTPService was set up like this: (again, i obfuscate the URLs for security)
      <fx:Declarations>
          <s:HTTPService id="contentService" url="data/***dant_content.xml" method="POST" useProxy="false" resultFormat="e4x" />
      </fx:Declarations>
  the parseContent function setup in the event listener justs reads the XML file and uses that data to build an image gallery.
  hope this helps (for what its worth: I'm not doing anything serious with Gumbo as of yet due to these kinds of bugs)

• SecurtyError sandbox violation

  SecurityError: Error #2149: Security sandbox violation:
  file://XXXX\Hello.swf cannot make fscommand calls to
  <unknown> (allowScriptAccess is ).
  at FSCommand$/_fscommand()
  at global/flash.system::fscommand()
  I have a swf movie (from Flex) and when calls to fscommand
  this error appears.
  This movie is inside a FlashPlanel (JFlashPlayer library)
  inside a JApplet.
  Only happens with IE, with Firefox it works ok:
  - In IE 6 the error doesn't happen, but the applet does'n
  receive fscommand.
  - In IE7 this error appears.
  - In Firefox works fine and the applet receive the fscommand
  correctly
  I tried to put inside a webserver, locally, signing the jar,
  grant allpermission to applet, with System.allowDomain("*") and i
  don't know how to solve it.
  Thanks

  i want to do a call. My panel implements a java listener for
  this panel and receive this call and receive the button pressed and
  some text info.
  Which is the new way to do this?? Actually i'm doint
  fscommand("next","extraInfo");
  Thanks

• AIR:  Loading external Swf - sandbox violation

  Hello Mates ,
  I need a help ... an urgent one !!! i tried so hard to figured it out .. but i couldn't .. so I appreciate your help so much ..
  I'm developing an Air App using flash ... the app loads an external SWF file dynamically through an xml ... the SWF file has a movieclip that has a listener (ON click )
  function mouseDownHandler(event:MouseEvent):void {
  navigateToURL(new URLRequest(clickURL));
  everything is working fine until i click on this movieclip ... it displays the below message
  SecurityError: Error #2121: Security sandbox violation: navigateToURL: http://www.mydomain.com/maskot/avatar.swf cannot access http://www.yahoo.com. This may be worked around by calling Security.allowDomain.
  any help !!! because i really have a deadline !
  Thank you so much !

  that's why i added those comments about the swf's domain.  for locally loaded swfs, use:
  SFMltd wrote:
  Hi Kglad, Thanks for the Example.
  if i run my class with securityDomain = SecurityDomain.currentDomain; then it throws this error: SecurityError: Error #2142: Security sandbox violation: local SWF files cannot use the LoaderContext.securityDomain property.
  The swf file im trying to load is stored locally so i guess this error makes sense. However if i comment out that line i get the same "cannot access Stage owned by app" error?
  See below for class:
  package  {
    import flash.display.MovieClip;
    import flash.filesystem.File;
    import flash.events.Event;
    import flash.net.FileReference;
    import flash.events.MouseEvent;
    import flash.display.Loader;
    import flash.net.URLRequest;
    import flash.system.LoaderContext;
    import flash.system.ApplicationDomain;
    import flash.system.SecurityDomain;
    public class assetPreview extends MovieClip {
    private var loader:Loader;
    private var mainSWF:MovieClip = new MovieClip();
    public function assetPreview() {
    addEventListener(Event.ADDED_TO_STAGE, initialise);
    public function initialise(e:Event):void
    removeEventListener(Event.ADDED_TO_STAGE, initialise);
    var allowSWF:LoaderContext = new LoaderContext(false,ApplicationDomain.currentDomain);
  // allowSWF.securityDomain = SecurityDomain.currentDomain;
    loader = new Loader();
    loader.load( new URLRequest(settingsXML.pathToSWF),allowSWF);
    loader.contentLoaderInfo.addEventListener(Event.COMPLETE, viewPreview);
    public function viewPreview(e:Event):void
    addChild(mainSWF);
    mainSWF.addChild(loader);

• Flex 4 + AIR 2 + mx:Image = Security Sandbox Violation!

  Hi there!
  I've been using Flex 4 and AIR 2 for some time now and there's a bug (or is it really one) that I always get and can't understand...
  Whenever I use a <mx:Image> to load an image (JPG) on a remote server that has a valid crossdomain.xml I get some annoying warnings. Of course, these only are warnings and everything runs fine (except that) but it's a pain to debug an app that has lots of logs like that:
  *** Security Sandbox Violation ***
  SecurityDomain 'http://static-p3.fotolia.com/jpg/00/07/56/92/110_F_7569245_9hdeWKxUxFRNYuowdSDBNv0YFN9xTJ9 S.jpg' tried to access incompatible context 'app:/Main.swf'
  I've googled it and found lots of others folks/threads about this, but none of them provide a valid solution... Seems like it's specific to AIR because some answers/solutions I found work in a basic SWF, but fail in an AIR app.
  Is that a bug in Flex?
  Am I wrong about the crossdomain.xml?
  How could a JPG raise a Security Sandbox Violation?
  Tips or tricks, anyone?

  AIR has different security rules because it doesn't really have a "domain"
  to compare against crossdomain.xml.  The warnings are annoying and
  misleading and usually indicate that some code is trying to access the
  bitmap inside a try/catch block.  Usually you can ignore any warning that
  doesn't stop execution.

• Sandbox violation using swf files in applicationStorageDirectory

  I want to use an swf file as the source to an mx:Image which I then want to drag around.
  The swf file is in the applicationStorageDirectory.
  The swf file loads and appears on the screen. I click on the image and get:
  *** Security Sandbox Violation ***
  SecurityDomain 'app-storage:/project1/images/bg.swf' tried to access incompatible context 'app:/RAE.swf'
  How do I solve this?

  It seems that even if an swf file has no scripts in it, if any of the assets have been turned into movieClips (we're talking Flash here), then as soon as you click on them they try to reference the parent swf. The Air app interprets this as an external swf trying to script it and the Sandbox violation occurs.
  The solution to this specific problem is to put the mx:Image inside an mx:Canvas and set the mouseChildren property of the Canvas to false.

• Air app, Rest service, Security sandbox violation

  Hi All,
    I wrote an app a couple of years ago using flex 3 that connects to a number of remote web services and does various things.
  This worked fine.
  Now I have been asked by the customer to update the app as it stopped working at some point.
  I am trying to use the resthttpservice library to do a PUT operation, but I am getting the following error when I try and create a socket to the remote server:
  Error #2048: Security sandbox violation: app:/main.swf cannot load data from http://my.host:8182
  Now, it's been a while since I've done anything with flex so I am rusty. But this error is usually fixed by having a crossdomains.xml file on the remote server. But it was my understanding that this was only required when one's app was running from within the browser and that desktop applications are not effected.
  Can anyone clarify this for me? It seems that there were changes made to the flash player in version 10 that might have changed this.
  I am very puzzled at this point!
  thanks for any help!

  These articles discuss security changes between FP 9 and 10:
  http://www.adobe.com/devnet/flashplayer/articles/fplayer10_security_changes.html
  http://www.adobe.com/devnet/flashplayer/articles/fplayer9-10_security.html
  What is impacted?
  This change can potentially affect any SWF file accessing cross-domain content. This change affects SWF files of all versions played in Flash Player 10 and later. This change affects all non-app content in Adobe AIR (however, AIR app content itself is unaffected).
  What do I need to do?
  Read the article: http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html

• Error #2048 (Sandbox Violation) in AIR prevents future hostname resolution

  Scenario:
  Create an application which tries opening 100 socket connections. This in turn triggers an Error #2031(Socket Error) on a few of them, I believe this is a limitation in Flash? or something similar? After a few seconds, those same socket connections will trigger an Error #2048 (Security Sandbox Violation).
  If the hostname which you used to connect to the sockets is a name (ex: "localhost") it will prevent any new connections from opening at all and will trigger an Error #2048 on all those future connections even though they are completely unrelated to the first.
  If the hostname which you use is an IP Address ("127.0.0.1") those individual connections will have failed but no future interaction will be affected.
  Problem:
  1) Why is an AIR application triggering a security sandbox error at all?
  2) Why is this error locking up hostname resolution?
  3) Is this in fact a hostname resolution problem since there are no issues when using an IP address?
  3a) In my testing it appears that once the Error #2048 "locks" resolution, it can be "unlocked" by using an IP Address on any socket (any successful socket connection really) which will restore the name resolution capability. Or so it seems.
  Any help would be greatly appreciated. Until I nailed down the specific cases where this was happening the errors appeared very byzantine.
  It is not only the Error #2031 from too many connections that triggers the Error #2048. The main problem is that Error #2048 is triggered by unspecified socket errors (unexpected close for example) and hence locks up future connections.
  The reason this is such a problem is that I'm creating an application specifically for the purpose of monitoring a custom server so errors do happen, and if future requests cannot complete a connection due to name lookup failure it can cause a huge problem for monitoring validity.

  Any help with this would be greatly appreciated.

• How to resolve security sandbox violation (Error#2148) in Flex 3 on XP?

  Hi,
  When I tried to access an image on c:\ (on XP), I get the following error:
  *** Security Sandbox Violation ***
  Connection to file:///C:\DBFiles\3.jpg halted - not permitted from http://localhost/test-debug/test.swf
  -- Remote SWFs may not access local files.SecurityError: Error #2148: SWF file http://localhost/ullmanphp-debug/ullmanphp.swf cannot access local resource file:///C:\DBFiles\INDSprintOrgChart.pptx\3.jpg. Only local-with-filesystem and trusted local SWF files may access local resources.
  at flash.display::Loader/_load()
  at flash.display::Loader/load()
  It looks like some sort of mismatch on security settings. I have done the following so far (based on what I got by googling....)
  1. Flex comipler setting additional compiler arguments:  -use-network=false
  2. I have added a crossdomain.xml on the source directory with these lines...
  <site-control permitted-cross-domain-policies="master-only"/>
  <allow-access-from domain="*"/>
  <allow-http-request-headers-from domain="*" headers="SOAPAction"/>
  However, error is still appearing. How do I fix this for testing on my local machine. I cannot move to a webserver at this time.
  Thanks!.

  How do I set Security.sandboxType related to flash player? When I try to see it in my application through debugger it says "remote". I think I need to set it to one of the following from the adobe manual pages...
  Security.sandboxType has one of the following values:
  remote (Security.REMOTE)—This file is from an Internet URL and operates under domain-based sandbox rules.
  localWithFile (Security.LOCAL_WITH_FILE)—This file is a local file, has not been trusted by the user, and it is not a SWF file that was published with a networking designation. The file may read from local data sources but may not communicate with the Internet.
  localWithNetwork (Security.LOCAL_WITH_NETWORK)—This SWF file is a local file, has not been trusted by the user, and was published with a networking designation. The SWF file can communicate with the Internet but cannot read from local data sources.
  localTrusted (Security.LOCAL_TRUSTED)—This file is a local file and has been trusted by the user, using either the Flash Player Settings Manager or a FlashPlayerTrust configuration file. The file can read from local data sources and communicate with the Internet.
  application (Security.APPLICATION)—This file is running in an AIR application, and it was installed with the package (AIR file) for that application. By default, files in the AIR application sandbox can cross-script any file from any domain (although files outside the AIR application sandbox may not be permitted to cross-script the AIR file). By default, files in the AIR application sandbox can load content and data from any domain.
  Any input on how to set it would be greatly appreciated. Thanks!

• Security Sandbox violation, opening links in Flash player

  Hi,
  I have a swf content and its content served from a content management server say for eg, http://www9.abc.com into the html file which is served from http://qwww9.abc.com The links embedded in the flash were not working, when these links are clicked I get this error when tried with Flash debugger player.
  *** Security Sandbox Violation ***SecurityDomain 'http://qwww9.abc.com/' tried to access incompatible context 'https://www9.abc.com/sample.swf'
  I had set a crossdomain policy file in a custom location in the content management server for this issue, but with the Flash player 9,0,115,0 this stopped working due to default policy change to "master-only". I will not be able to have this policy file in the root folder of the content management server or have the policy set in the HTTP response header.
  Is there anyother solution for this issue, for having the links work without setting the crossdomain policy file?
  Thanks in advance...

  How do I set Security.sandboxType related to flash player? When I try to see it in my application through debugger it says "remote". I think I need to set it to one of the following from the adobe manual pages...
  Security.sandboxType has one of the following values:
  remote (Security.REMOTE)—This file is from an Internet URL and operates under domain-based sandbox rules.
  localWithFile (Security.LOCAL_WITH_FILE)—This file is a local file, has not been trusted by the user, and it is not a SWF file that was published with a networking designation. The file may read from local data sources but may not communicate with the Internet.
  localWithNetwork (Security.LOCAL_WITH_NETWORK)—This SWF file is a local file, has not been trusted by the user, and was published with a networking designation. The SWF file can communicate with the Internet but cannot read from local data sources.
  localTrusted (Security.LOCAL_TRUSTED)—This file is a local file and has been trusted by the user, using either the Flash Player Settings Manager or a FlashPlayerTrust configuration file. The file can read from local data sources and communicate with the Internet.
  application (Security.APPLICATION)—This file is running in an AIR application, and it was installed with the package (AIR file) for that application. By default, files in the AIR application sandbox can cross-script any file from any domain (although files outside the AIR application sandbox may not be permitted to cross-script the AIR file). By default, files in the AIR application sandbox can load content and data from any domain.
  Any input on how to set it would be greatly appreciated. Thanks!

• Sandbox Violation #2148

  I just transferred a project I was working on from
  Flexbuilder 3 on PC to Eclipse 3.3 with Flex 3 plug-in on Mac and
  when I try to run a local debug session I get the following error.
  Am I missing some sort of permissions file?
  *** Security Sandbox Violation ***
  Connection to framework_3.0.0.477.swz halted - not permitted
  from file:///Users/brian_farrell/Documents/workspace/Zebra_Reviewer
  Module/bin/Login.swf
  SecurityError: Error #2148: SWF file
  file:///Users/brian_farrell/Documents/workspace/Zebra_Reviewer
  Module/bin/Login.swf cannot access local resource
  framework_3.0.0.477.swz. Only local-with-filesystem and trusted
  local SWF files may access local resources.
  at flash.net::URLStream/load()
  at flash.net::URLLoader/load()
  at
  mx.core::CrossDomainRSLItem/load()[E:\dev\3.0.x\frameworks\projects\framework\src\mx\core \CrossDomainRSLItem.as:206]
  at
  mx.core::RSLListLoader/loadNext()[E:\dev\3.0.x\frameworks\projects\framework\src\mx\core\ RSLListLoader.as:169]
  at
  mx.core::RSLListLoader/load()[E:\dev\3.0.x\frameworks\projects\framework\src\mx\core\RSLL istLoader.as:146]
  at
  mx.preloaders::Preloader/initialize()[E:\dev\3.0.x\frameworks\projects\framework\src\mx\p reloaders\Preloader.as:236]
  at mx.managers::SystemManager/
  http://www.adobe.com/2006/flex/mx/internal::initialize()[E:\dev\3.0.x\frameworks\projects\ framework\src\mx\managers\SystemManager.as:1508
  at
  mx.managers::SystemManager/initHandler()[E:\dev\3.0.x\frameworks\projects\framework\src\m x\managers\SystemManager.as:2196]

  How do I set Security.sandboxType related to flash player? When I try to see it in my application through debugger it says "remote". I think I need to set it to one of the following from the adobe manual pages...
  Security.sandboxType has one of the following values:
  remote (Security.REMOTE)—This file is from an Internet URL and operates under domain-based sandbox rules.
  localWithFile (Security.LOCAL_WITH_FILE)—This file is a local file, has not been trusted by the user, and it is not a SWF file that was published with a networking designation. The file may read from local data sources but may not communicate with the Internet.
  localWithNetwork (Security.LOCAL_WITH_NETWORK)—This SWF file is a local file, has not been trusted by the user, and was published with a networking designation. The SWF file can communicate with the Internet but cannot read from local data sources.
  localTrusted (Security.LOCAL_TRUSTED)—This file is a local file and has been trusted by the user, using either the Flash Player Settings Manager or a FlashPlayerTrust configuration file. The file can read from local data sources and communicate with the Internet.
  application (Security.APPLICATION)—This file is running in an AIR application, and it was installed with the package (AIR file) for that application. By default, files in the AIR application sandbox can cross-script any file from any domain (although files outside the AIR application sandbox may not be permitted to cross-script the AIR file). By default, files in the AIR application sandbox can load content and data from any domain.
  Any input on how to set it would be greatly appreciated. Thanks!

• Security sandbox on air app

  I have an application that read a external swf from a website, the swf has
  Security.allowDowmain("*");
  inside of it, and when I try lo load it from my air app happens this.
  SecurityError: Error #2070: Security sandbox violation: caller http://leftandrightsolutions.com/iglesiaviewer.swf cannot access Stage owned by app:/iglesiaFls.swf.
  at flash.display::Stage/set scaleMode()
  at tv.ustream.core::Application/frame1()
  could someone help me? I;ve tried to use a new Security.allowDowmain("leftandrightsolutions.com") and nothing happens.

  I have all the attempts from the sub-swf to set scale mode erased or at least "//" and now it doesn't shows-off any sandbox violation but now it doesn't show anything , here is my code on the
  <mx:script>
  private function videoViewer():void{
  var videoviewer:Loader= new Loader();
  videoviewer.width=800;
  videoviewer.height=400;
  videoviewer.load(new URLRequest("http://leftandrightsolutions.com/IglesiaViewer.swf"));
  holder.addChild(videoviewer);
  here is my UI component called holder.
  <mx:UIComponent id="holder" width="800" height="400" left="245" verticalCenter="-261">
    </mx:UIComponent>
  I don't know what could have been wrong. I think I have all as the in the book.
  Some help appreciated.
  Gus

• Security sandbox violation

  Can someone please help me see what's wrong with this picture?  Why is this security error happening?  Is there something I need to change with my crossdomain.xml file?
  LoadURL loadError [SecurityErrorEvent type="securityError" bubbles=false cancelable=false eventPhase=2 text="Error #2048: Security sandbox violation: http://www.mysite/mySWF.swf cannot load data from http://mysite.com/scripts/myScript.php."]
  <?xml version="1.0"?>
  <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
  <site-control permitted-cross-domain-policies="master-only" />
  <cross-domain-policy>
  <allow-access-from domain="mysite.com" />
  <allow-access-from domain="www.mysite.com" />
  <allow-access-from domain="*.mysite.com" />
  </cross-domain-policy>

  nevermind, idk why I put the site control node outside of the cross-domain-policy root.

• *** Security Sandbox Violation *** problem

  Dear All,
  I having the Security problem
  My Scinarion
  I have an Exe (With SWISH Studio) / Swf file which is on Local Machine calles a swf file which on Server and that Swf file call a XML file which is on a Same Server
  While Compiling the SWF file gives the following error message of
  *** Security Sandbox Violation ***
  SecurityDomain 'http://www.mydomain.com/folder/swfname.swf?mathrand=Wed Apr 8 19:39:27 GMT+0530 2009' tried to access incompatible context 'file:///D|/folder/swfname.swf'
  I have already tried for
  System.security.allowDomain("*");   and   crossdomain.xml
  But it dosen't worked for me
  I will appriciate if any one can give me a ray of hope to solve this problem
  Please give me some solution
  Regards
  Raj

  Dear Kglad,
  Thanks for your instant reply as I have already mention I have tried with crossdomain.xml
  If you want to check the crossdomain and the fla files then I will mail u the details please provide me the email address
  Once again thanks
  Regards
  Raj

• Youtube: security sandbox violation

  Does anybody have a recipe for loading the AS3 chromeless player into a Flex application such that you don't get the 'incompatible context' errors constantly?
  *** Security Sandbox Violation ***
  SecurityDomain 'http://core-dev.thismoment.com/client/Demo.html' tried to access incompatible context 'http://www.youtube.com/apiplayer?version=3'
  I've been experimenting all day with  Security.allowDomain, Security.allowInsecureDomain, and  LoaderContext, but I haven't found the magic combination yet. The  main thing I want to do is be able to track the mouse wherever it goes on the screen.  Right now, if I mouse over the YouTube player, mouse events stop getting sent to the application, and I get that sandbox violation error in the debug log.  It works fine if I run the swf from a file: URL - it just doesn't work when it's coming over http, so obviously there is some sort of Flash security model thing kicking in.

  Doors only get opened from the inside otherwise all the bad guys would come
  in.
  Only the loaded SWF can allow access from the loading SWF.