Adobe recently rolled out a patch to Flash Player 9 to mitigate some bad security vulnerabilities (my favorite Flash vulnerability was hilariously described at Matasano Chargen). One of our Flash apps at work suffered collateral damage from the update.
If you get the message “Security error accessing url” after applying the April 8 Flash Player update, then it’s likely the app is doing something covered in this article covering potential compatibility issues with the update. Our app was affected because it accesses a web service running on another server.
When the Flash Player accesses data from another domain on behalf of a Flash app, it first looks for a crossdomain.xml file in the root directory of the domain that is being accessed. For example, on my site it would try to retrieve wombatnation.com/crossdomain.xml. This file contains access policies that the Flash Player will apply. If you want to allow any Flash app to access a web service on your site, you can go with the Come and Get It policy file:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
If you need to allow access to only a small set of domains, you should replace the * wildcard with something more specific. You can use a * to pick up all sub-domains, though, for example, *.wombatnation.com would allow access to my local botnet herd.
One of the vulnerabilities Adobe is attempting to mitigate in this patch is the ability of a Flash app to send malicious HTTP headers to a remote service. The updated Flash Player lets an app send only the standard HTTP headers. If you want to send additional headers, the remote server must include additional policies. Unless, of course, your header of choice is already on the blacklist for fighting in bars, spitting on sidewalks or p0wning servers.
Since the SOAPAction header that is used with SOAP based web services is not a standard HTTP header, your Flash app will display the “Security error accessing url” message unless the remote server’s crossdomain.xml is updated. The quickest fix is to add the following line:
<allow-http-request-headers-from domain="*" headers="SOAPAction"/>
to the cross-domain-policy section. If you specified a more limited set of domains in the allow-access-from policy, you should probably use the same set of domains in this policy. This Adobe TechNote explains the details.
I tried to figure out what was going on with Firebug, but Flash apps are pretty much black boxes to me unless you’re debugging them with Flex Builder or whatever tool was used to build them. Flash is a pretty useful technology for quickly building apps, but there are so many drawbacks that I seriously doubt I would ever choose it as my preferred tool for building web apps.
My flex application is calling a webservice. It runs fine locally.
When put on the server, I am getting an error.
The fault string looks like
message faultCode:Channel.Security.Error
faultString:’Security error accessing url’
faultDetail:’Unable to load WSDL. If currently online, please verify
the URI and/or format of the WSDL (http://myshec103077d:8080/Check/
addint?wsdl)’
I tried putting crossdomain.xml in the root of the application server
and I am able to access the cross domain file by typing
http://myshec103077d:8080/crossdomain.xml
The cross domain file which I had put is of the form
Still I am getting the same error, when I run the flex app on the
server.
Any pointers will be appreciated.
Thanks,
Shameer.
Wish I could help, but I’ve never run into that error or have any good ideas on how to work around it. I haven’t worked with Flex very much.
I have the same problem.
I am calling a sap webservice. First, i called the webservice om localhost, and it was working fine. Then i called the webservice on our development server, and it’s still working fine (without the crossdomain.xml :-s). When i move the *.swf file to another location on my pc, i get the security error. I alse generated the release-bin .swf file, and that file shows the security error too. Is it possible that the first .swf (bin-debug) is working fine with the webservice on our development server it maybe thinks it’s still the local server or so? The data it receives is the correct data, so it’s really the webservice on our development server that is called.
Kind regards,
J.
Thank you so much for this post. After working on this for HOURS, I added “allow-http-request-headers-from” line in my crossdomain.xml file and WHAM!! Good to Go. THANK YOU!!!
Pingback: The YouTube Flash Video (FLV) secret - Streamhead
Thanks. I was looking for the header setting everywhere.
Thank you so very much for this! I’d been banging my head against this while trying to get to grips with Flex and SOAP for a good few hours when I came across your post = now all is good {:)
thank you for sharing this ultra clear explanation of this complicated security issue – proved to be a lifesaver on my current project