Fixing security sandbox violation in Flash AS3

stencylSecurity
Submit to StumbleUpon

Hello and welcome back to my blog!

This time I wanted to talk about the dreaded Security sandbox violation error which Flash will sometimes throw at you when you’re working with external websites, or sockets, or file access across local/web.

What is a security sandbox violation?

Flash applications run inside a security sandbox which prevents them from accessing data they shouldn’t be. For example if your application is web-based, it will be forbidden from accessing files on a user’s local hard drive. If the application is not web-based then it will be forbidden from accessing the web. You can read more about these two types here.

When an application attempts to access data outside of its sandbox, you will see an error which looks similar to this:

********* Security Sandbox Violation ***** Connection to <requested data location> halted - not permitted from <location of swf>

This can happen in a number of different cases:

The application sandbox is set incorrectly

This can happen when the sandbox is configured to be used one way, but is being used in another way by mistake. You can change this setting:

In Flash IDE by going to File->Publish Settings->Flash->Local playback security and choosing either ‘Access local files only’ or ‘Access network only’.

In FlashDevelop by right clicking on your project->Properties->Compiler Options->Use network services

In Amethyst by right clicking on the project in the solution explorer->Properties->Compiler->Use network

You are accessing a web-service across domains

If your application is web-based and is accessing a web-service of some kind on a different domain to the one the .swf file is hosted on you can get a sandbox violation if the domain you are accessing does not have a valid cross domain policy in place.

The root of the domain you are accessing must have a valid crossdomain.xml file.

Here is an example crossdomain.xml:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
	<allow-access-from domain="*" />
	<site-control permitted-cross-domain-policies="master-only"/>
</cross-domain-policy>

Read more on the specification of this file here

You are accessing a web-service from your local machine during development

Because of the two different sandbox modes, when developing an application which accesses a web-service but debugging or running locally you will cause this exception to fire. In order to get around this you will need to tell Flash that you give permission for this to happen.

By going to this web address you can configure this:
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager04a.html

Flash security settings for developers

Click ‘Add location‘ and then chose the location of your .swf file. Be aware that you need to close the web-page before these settings will take effect!

You are communicating with a server through a socket

If you are communicating with a server via a socket, the server must correctly respond to requests for a policy file. Having a crossdomain.xml file in the root of the domain is insufficient for this purpose.

The flash client will send a request to the server which looks like this:

<policy-file-request/>

It will do this first on port 843 and then on the port you chose to connect with the server. You can read more about socket policy files here.

The server must respond with a valid policy file which must be terminated with a \0 null character.

Here is how I store the required response as a string in c#:

public const string kFlashPolicy =	"<cross-domain-policy>\r\n" +
"\t<allow-access-from domain=\"*\" to-ports=\"{0}\" />\r\n" +
"</cross-domain-policy>\r\n\0";

You can then insert the correct port into that string and get the data as bytes like this:

string response = String.Format(kFlashPolicy, port.ToString());
byte[] responseBytes = Encoding.UTF8.GetBytes(response);

Additionally, although the crossdomain.xml file is insufficient on its own to solve this problem, I have found that to ensure good connection on lots of different browsers it’s necessary to call:

Security.loadPolicyFile("http:// <server address> / crossdomain.xml");

Before calling socket.connect() on the client.

Hope these help you in fixing your sandbox violations!

Until next time, have fun!

Cheers, Paul.

Submit to StumbleUpon

About Paul Firth

A games industry veteran of ten years, seven of which spent at Sony Computer Entertainment Europe, he has had key technical roles on triple-A titles like the Bafta Award Winning Little Big Planet (PSP), 24: The Game (PS2), special effects work on Heavenly Sword (PS3), some in-show graphics on the BBC’s version of Robot Wars, the TV show, as well as a few more obscure projects.   Now joint CEO of Wildbunny, he is able to give himself hiccups simply by coughing.   1NobNQ88UoYePFi5QbibuRJP3TtLhh65Jp
This entry was posted in AS3, Server side, Technical and tagged , , , . Bookmark the permalink.

2 Responses to Fixing security sandbox violation in Flash AS3

  1. mika says:

    Great article!
    Extra question:
    I am doing rendering on the backend and need to run a swif on a server.
    Do you know a way to programmatically modify the Global Security settings (on ubuntu)?

    • Paul Firth says:

      Hi Mika,

      I’m afraid not – that would depend on the way the ubuntu version of the flash player reads the settings, and I’m not sure how that works.

      Cheers, Paul.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

WP-SpamFree by Pole Position Marketing