View Full Version : Security Issue Loading External Files

12-16-2007, 10:00 AM
I've been stressing for a week now that my video app won't load my flv's from a http address when embedded html but works in 'test movie'. The code that it gets stuck on is any line that tries to access a file from my remote server.

I've been doing some reading about the security.sandbox issue and have convinced myself that this is the issue.

Thing is I don't know what to do about it, the security.sandbox property for my app returns "localTrusted", and I went in the global setting panel and set it to always allow.

I also added this to my code:
Security.allowDomain("http://IP ADDRESS:5080");
Thats didn't seem to work, not sure if I need to add the http: and ip address after it, just the ip address, the ip address and the port number or the whole file path?

I also read something about cross domain policies...

I'm a bit lost with it all at the moment, can anyone tell what I need to change in order for this to work?


12-16-2007, 12:01 PM
I tried creating a crossdomain xml file in the following way. I added this line of code in flash


then I added the xml file which has the following in it(it should allows access to any domains), I did this just incase I mistyped the http address, just to prove the cross domain file works, but it didn't

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<allow-access-from domain="*" />

the attached xml has been put in the following location (I have a local web host setup on my development machine)


Tried all of the above but I still cannot seem to load an external text file...

Any ideas?

12-16-2007, 12:25 PM
All you have to do is put policy file n root folder of your domain so flashh app can access it using path

www.mydomain.com/corssdomain.xml (http://www.mydomain.com/corssdomain.xml) or without www (depends on srever config)

12-16-2007, 01:13 PM
panel, I believe this is what I have done. My website isn't yet hosted anywhere so I don't have a domain name e.g. www.mydomain.com, instead the website is hosted locally, so the root folder is C:\Inetpub\wwwroot and this is where I have placed the xml file.

If I type localhost/crossdomain.xml into my web browser, the xml file successfully displays in the browser. So that should be fine.

Just to confirm I have now removed the
from my code

I presume flash looks for the crossdomain.xml automically in the web root when it reaches the security issue?

Another possible issue I can think of is that I have stored the flash swf file in the following location

Why is this not working?

12-16-2007, 08:13 PM
Now I see the problem - you are using IIS, so you have to register FLV MIME Type into IIS.

1) Select the site to configure in IIS, right click and select "Properties"
2) Under HTTP Headers Tab, select "File Types" under the MIME Map section and select "New Type"
3) Type ".flv" as the associated extension and "video/x-flv" as the content type.
4) Select "OK" and you're ready to fly!

12-17-2007, 08:47 AM
Panel, I wish its were that simple, I implemented the change you suggested but this didn't solve the problem. Not sure how that would cause the issue. Running my flash in html still stops at the same line of code (accessing external files, whether that be an flv or a .txt)

As a side note when I try to run the swf file on its own by double clicking on the file, I get told

Adobe Flash Player has stopped a potentially unsafe operation
C:\Inetpub\wwwroot\flash\dynamic%20flash%20playbac k2.swf
is trying to communicate with this Internet-enabled location:
To Let this application communicate with the Internet, click Settings.
You must restart the application after changing your settings.

I have followed the change settings instructions but I still get this message every time. Here is the error message that accompanies it...

SecurityError: Error #2028: Local-with-filesystem SWF file file:///C|/Inetpub/wwwroot/flash/dynamic%20flash%20playback2.swf cannot access Internet URL
at flash.net::NetStream/play()
at fl.video::VideoPlayer/http://www.adobe.com/2007/flash/flvplayback/internal::_play()
at fl.video::VideoPlayer/http://www.adobe.com/2007/flash/flvplayback/internal::_setUpStream()
at fl.video::VideoPlayer/http://www.adobe.com/2007/flash/flvplayback/internal::_load()
at fl.video::VideoPlayer/load()
at fl.video::FLVPlayback/::doContentPathConnect()
at fl.video::FLVPlayback/set source()
at dynamicflashplayback2_fla::MainTimeline/onBtnSmallVidMouseClick()

This is driving me crazy now, I have followed the security instructions, cross domain, and the flv mime type in IIS.

Maybe someone could take my fla and see if it works from their machine?



12-17-2007, 11:27 AM
Also just to confirm

If my Development Machine (Machine 1), which I'm locally hosting my website on, is domain where I am launching my SWF from

and my Server (Machine 2) is where the flv files I would like to stream back are on another domain (remote)

am I putting the crossdomain.xml on Machine 1 or Machine 2. I originally thought it was Machine 1 but then I found this info on adobe live docs

"When a Flash document attempts to access data from another domain, Flash Player automatically attempts to load a policy file from that domain. If the domain of the Flash document that is attempting to access the data is included in the policy file, the data is automatically accessible."


12-17-2007, 12:00 PM
I believe you should put crossdomain.xml file to domain where your flv files are, in your example that should be 'Machine 2'.

12-17-2007, 01:13 PM
I have done this, it is as though the crossdomain file isn't being loaded by flash, is there any way to check via the code that it has?

this is where my flvs are residing, and here is the link to my crossdomain file, can you see any issues with it?


12-17-2007, 01:41 PM
Try with following crossdomain.xml placed in your webserver root:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<allow-access-from domain="*" />

Btw, check this out regarding crossdomain.xml file, it might help:


Maybe the problem is that your crossdomain.xml is accessible only by using 5080 port, you can't access it by simply using following URL:

And i doubt flash will know that it has to use 5080 port to access crossdomain.xml, maybe it's trying to access it by using standard 80 port and that's why it fails?

12-17-2007, 07:14 PM
To see all HTTP requests use one of FireFox plugins - LiveHeaders or YSlow.
Also try to manually open crossdomain.xml (ut file path in browser) to see if it is accessable.

12-18-2007, 01:56 PM
thanks for the replies, the server has been set up correctly, the xml file can be viewed at the following link

I tried all of your suggestions and still no change. So I decided to host the webpage on the same machine as this video, thinking that there would be no security issues. However I'm still having the issue.

Here is the link to the page which contains the flash app, clicking on the green button once should load the video. And the text should say debug 5, however it just says Debug 4

Here is the actionscript code for the app, you can see where the code gets stuck.... Can't believe how difficult this is becoming

I have tried both absolute and relative paths...

import flash.events.MouseEvent;
import fl.video.*;
// Class that handles video events
import fl.video.VideoEvent;

var debug:TextField = new TextField();
var my_FLVPlybk = new FLVPlayback();
// A variable to track if the video has begun playback
var playbackBegun:Boolean = false;

var sObject:Object = new Object(); // create a new empty object

// A function to handle the video events sent by the listener

debug.text = "debug"
function videoHandler(evt:VideoEvent) {
// Detect state of theVideo
switch(evt.state) {
case "playing":
playbackBegun = true;
case "stopped":
// Only process if playback occurred
if(playbackBegun == true) {
// Reset the tracking variable
playbackBegun = false;
my_FLVPlybk = null;
// Optional handler for other playback states
debug.text = "debug1";
// Listen for "STATE_CHANGE" video events generated by theVideo
// and call the videoHandler function when they occur.
my_FLVPlybk.addEventListener(VideoEvent.STATE_CHAN GE, videoHandler);

debug.text = "debug2";
button_small_vid.addEventListener(MouseEvent.CLICK , onBtnSmallVidMouseClick);
function onBtnSmallVidMouseClick(event:MouseEvent):void{

debug.text = "debug4";
// loads the textfile from iiGym server containing video filename and video title
my_FLVPlybk.x = 100;
my_FLVPlybk.y = 100;
my_FLVPlybk.skin = "file:///C|/Program Files/Adobe/Adobe Flash CS3/en/Configuration/FLVPlayback Skins/ActionScript 3.0/SkinOverPlaySeekMute.swf"
my_FLVPlybk.source = "FOLDER/FILENAME";
debug.text = "debug5";

12-18-2007, 06:11 PM
I'm not totally sure what is going on, but maybe this site will help? I think I had a similar problem as yours before, and it fixed it for me. You go to this site and set up your local security options.:


Added: Oops, sorry I didn't see the next page. You already got the problem fixed.

12-18-2007, 10:42 PM
thanks, I tried changing those settings, I set them to always allow and I also added trusted locations, but I still get the same security error.

And no, unfortunately I still haven't resolved the problem....:o

12-19-2007, 12:41 PM
If I am running the website and the swf off my webserver and also storing my flv on the same machine, should I be using an absolute or relative path?

Here is the path to my web page
Here is the path to my swf file
C:\Inetpub\wwwroot\Flash\dynamic flash playback2.swf
Here is the path to my flv file
C:\Inetpub\wwwroot\Flash\iiGym Promos\i_gym_video_master_2_12_004.flv
The IP address is:

can anyone tell me what the source in my flash code should be?

Currently I have it set to the following relative path:
my_FLVPlybk.source = "iiGym Promos/i_gym_video_master_2_12_004.flv";
its works if I type the following into the server browser:
but doesn't work if I type localhost into the browser or connect over the internet via another machine to the ip address

Can anyone help me get this right once and for all??

Thank you

12-19-2007, 05:24 PM
Hi there,

Sorry to see you're still having problems. This line of code still concerns me:

my_FLVPlybk.skin = "file:///C|/Program Files/Adobe/Adobe Flash CS3/en/Configuration/FLVPlayback Skins/ActionScript 3.0/SkinOverPlaySeekMute.swf"

I've never had to set up the a web server where I've worked, but it seems to me that you should never be able to access this file from the web. And if you don't import it, you will probably have problems with your code.

Move your debug 5 code back one line and also have it print out the value for "my_FLVPlybck.skin". Let me know if you can see it and what it says.

12-19-2007, 11:45 PM
thanks Craig your a legend. Thats exactly what the problem was, can't believe I'd been stressing all along about the wrong line of code

I owe you a virtual beer! :)

12-20-2007, 12:26 AM
Good to know that solved it for you!

I usually like porters, btw. :)

08-19-2008, 05:59 AM
Did you make it work.. now am facing the same problem friend.. when i test movie it works great, but when embedded in html its not working, throws a flash security error. what should i do..