Using Flash Player under HTTPS with Flex and Flash
DIGG IT!
10
Comments
Published
Wednesday, November 09, 2005
at
10:02 PM
.
I have been recently working with the core team at Cynergy Systems on debugging an HTTPS file upload solution for Flex 1.5. It seems that the Flash Player has a port identity crisis when run under HTTPS leading to all sorts of errors. Here is the solution...
It seems that the security model of the Flash Player is very fine grained on a port level. When running a SWF file under HTTPS, the player can get confused about what port is actually in use. In a sense the sandbox of the HTTPS SWF file is not associated with the actual port that loaded the SWF and thus data access is problematic. The player has sort of an identity crisis internally and it cannot communicate with the domain/port that the SWF files was served from. The solution is to explicitly load a Cross-Domain Security Policy File when the SWF is loaded to correct the problem. The following code will fix the problem when running under HTTPS on port 443:
System.security.loadPolicyFile('https://flexdemos.cynergysystems.com/support/crossdomain.xml');
Note:
- View the contents of the crossdomain.xml file above denoting port 443's use.
- The policyfile is not loaded by defualt and must use loadPolicyFile in this case.
I have worked with Cynergy on 2 projects using HTTPS/Flex/WebServices and have used HTTPS with several other clients. All have reported strange data related errors in using HTTPS of a similar nature. Considering this solved the File Upload issue, I believe that it should be standard policy to load a policy file when using HTTPS. As this is a backward compatible solution as it does not require a player update as loadPolicyFile is supported in Flash Player 7 and higher.
If you have found strange behavior in working with Flash Player and HTTPS, use loadPolicyFile and kiss your issues goodbye.
Special thanks the Carson Hager, Jason Weiss, and Dave Wolf for debugging this important and business critical issue. It really is an honor working with such a fantastic team at Cynergy. The Cynergy core team is a group of industry leading developers from the core team who created Sybase PowerBuilder & EAP Server, and Microsoft BizTalk Server. They have been making rich applications long before the birth of the Flash Player and long before I started programming. I cannot wait to show the community the projects we are working on at Cynergy, the work is truly impressive.
HTTPS, Check!
FLEX, Check!
LoadPolicyFile, Check!
All systems a go, we are cleared for launch!
Cheers,
Ted ;)
Have to book mark this on. Cheer for sharing the info :o). I bet it will be one of those things you hit your head against the wall about for ages then remember a post somewhere.
Can you post the xml file again? The link above isn't working correctly anymore :(
?an you post cross-policy XML file again? We are hitting the similar problem, trying to make HTTPS working on the port 443.
I'd like to see that cross domain policy file too now.
I'm having a similar problem, where upload works fine from IE over SSL (no policy file required), and works in firefox over non-SSL, but fails with an IOError (and no other info) with firefox over SSL.
You mysteriously hint at specifying the port number in this posting, but I tried everything I could see was possible given the DTD, and nothing made it work with FF and SSL. Hence, I'd love to see what that policy file said, just in case it contains the magic fix for this painful problem.
thanks,
Damon Smith
how would you use this with coldfusion Flash Form upload? I have a modified version of ASFusion's code but it doesn't work with https
The Cynergy URL no longer works. Can you include a working URL or the actual working crossdomain.xml file?
We too have the same problem making firefox work with https uploads...
We tried with a crossdomain file but it seems that the plugin cannot load it (and we cannot trap the error returned).
Any clues ?
I won't post the location of the file, but I found it with a little searching. This is the whole of the file:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>
This post has been removed by the author.
Actually, I believe it was supposed to be:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" to-ports="*" secure="false" />
</cross-domain-policy>
however, that did not make ssl work for me under firefox =(