I'm trying to integrate a Flex app with Google Checkout and code that runs fine on my local machine is throwing a Security Error when I test on my site.
Here's the error:
Warning: Failed to load policy file from https://sandbox.google.com/crossdomain.xml
*** Security Sandbox Violation ***
Connection to https://sandbox.google.com/checkout/api/checkout/v2/request/Merchant/12345 halted - not permitted from http://www.mysite.com/demo/cartTest/main.swf
ERROR (flash.events::SecurityErrorEvent)#0
bubbles = false
cancelable = false
currentTarget = (flash.net::URLLoader)#1
bytesLoaded = 0
bytesTotal = 0
data = (null)
dataFormat = "text"
eventPhase = 2
target = (flash.net::URLLoader)#1
text = "Error #2170: Security sandbox violation: http://www.mysite.com/demo/cartTest/main.swf cannot send HTTP headers to https://sandbox.google.com/checkout/api/checkout/v2/request/Merchant/12345."
type = "securityError"
Error: Request for resource at https://sandbox.google.com/checkout/api/checkout/v2/request/Merchant/12345 by requestor from http://www.my开发者_StackOverflow中文版site.com/demo/cartTest/main.swf is denied due to lack of policy file permissions.
Like I said, it runs fine locally. How can I get around this security error?
To get around this one, I assembled an html form in Flex and then passed it out to the js on the page, had it appended to an empty form on the page and then submitted the form. I'm keeping the form hidden so all of the UI input and actions happen in the swf. I don't love it but I'll live with it.
The crossdomain.xml file is a security constraint generally designed to prevent malicious behaviors. The permissions are different when you run the SWF locally.
If you are making a request to a different domain, that other domain must host a crossdomain.xml file. If they do not, it will not work. Amazon, for example, hosts a crossdomain.xml file.
This prior StackOverflow thread gives you some options.
Also see Curtis Morley's post on crossdomain.xml files.
You're loading an swf from http:
and trying to access an https:
URL.
By default this will be blocked (error #2170).
To make it work the target domain (the one you're trying to access from Flash) should have a /crossdomain.xml
which allows insecure access (secure="false"). The following crossdomain.xml
would have worked in your case if only you could make it accessible at the root of your target URL, i.e. https://sandbox.google.com/crossdomain.xml
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"/>
<allow-access-from domain="*" secure="false"/>
<allow-http-request-headers-from domain="*" headers="*" secure="false"/>
</cross-domain-policy>
More about the secure flag here: http://www.adobe.com/devnet/..../fplayer9_security.html#_Secure_Domain_Lists
精彩评论