Wednesday, November 3, 2010

Flex Sandbox Security Error #2048

I came across an annoying limitation of Flex today. After deploying my ArcGIS Flex application to an IIS server, I was having trouble accessing a Web Map Service (WMS). I could run the application locally and access the remote services, but deploying the application resulted in a Sandbox Security Error #2048:

"SecurityError: Error #2048: Security sandbox violation: http://mymachine/myflexapp/index.swf cannot load data from http://myserver.mydomain.com/arcgis/rest/services/myMapService/1?f=json..."


After perusing various AtionScript boards, I was finally directed to the solution on the ArcGIS Server 9.3 online help:

http://resources.esri.com/help/9.3/arcgisserver/apis/flex/help/index.html

"To access data from a different server than the one hosting your Flex application, the remote server needs to have a cross-domain file in the root directory."

As I understand it, this helps to prevent cross-site request forgery. Fair enough, but it's still annoying that Flex has this requirement, while many other client apps do not. My Flex application accesses the WMS service just like any other. The difference is this:
Web applications operate in a common environment, your browser. This environment shares common resources, such as cookies, which is a security concern.

Short of publishing the application as a standalone AIR app, I must rely on configuring the WMS server to allow access. It seems that this goes against some of the objectives of the OGC (seamless interoperability). I suppose javascript applications manage this is a similar way...?

Initially I was concerned about opening security holes, so I checked some well-known websites for examples on how to configure the file:
http://www.youtube.com/crossdomain.xml
http://www.google.com/crossdomain.xml

I was able to resolve the problem by asking the WMS Server administrators to set up the crossdomain.xml file at the root level of their website as described on the ESRI site. An example crossdomain.xml might be:

<?xml version="1.0" ?>
<cross-domain-policy>
<allow-access-from domain="*" />
<site-control permitted-cross-domain-policies="all" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>


This may not always be possible so an alternative approach is to configure a reflector on my own web server. Basically this will forward requests to the real destination, but to the web app, they appear to be coming from my own server. Obviously, copyright issues need to be considered when setting up something like this. The benefit of having a reflector is that you only need to configure a single crossdomain.xml file on the web server.
Posted by at
Labels: , , , , ,

3 comments:

  1. UnknownNovember 8, 2010 at 12:38 PM

    I am having the same kind of issue with my Flex application. I tried the crossdomain.xml with the same settings as you had mentioned. But no luck. It still results in Error#2048 Sandbox security errors. Any idea why ?

    ReplyDelete
  2. James O'BrienNovember 8, 2010 at 7:41 PM

    What happens if you try to access the crossdomain file in your browser?

    eg. http://www.yourwebsite.com/crossdomain.xml

    ReplyDelete
  3. virkMay 20, 2012 at 4:35 AM

    I am having the same kind of issue with my Flex application. I tried the crossdomain.xml with the same settings as you had mentioned. But no luck. It still results in Error#2048 Sandbox security errors. also when I access the file from browser it return the cross domain file eg. http://www.yourwebsite.com/crossdomain.xml
    please reply with any suggestion

    ReplyDelete

Subscribe to: Post Comments (Atom)