Flash security bug # 2048: Is there a workaround or should Twilio change its metapolicy?
My Flash / Flex application has a problem. For several months, it could download files from Twilio, but now I am getting the following error:
(I had to remove the hyperlinks, so imagine that "ttp" is really "http". :)
SecurityErrorEvent type = "securityError" bubbles = false cancelable = false eventPhase = 2 text = "Error # 2048: Secure sandbox violation: ttp: //localhost/myapp.swf? V = 1 cannot load data from TTP:. // api .twilio.com / "
I enabled policy logging in my flash plugin and got the following messages:
OK: search policy files for data authorization download from resource to TTP: //api.twilio.com/ on request from TTP: //localhost/myapp.swf v = 1 Warning: [strict] policy file is requested from TTP: / /api.twilio.com/crossdomain.xml redirected TTPS: //api.twilio.com/crossdomain.xml; will use the final URL to determine the scope. Warning: The api.twilio.com domain does not set a meta policy. Apply the default meta-policy "Master-only. This configuration is deprecated. See TTP: //www.adobe.com/go/strict_policy_files to resolve this issue. OK: Policy file accepted: TTPS: //api.twilio.com/ crossdomain.xml Error: The resource request for TTP: //api.twilio.com on request from ttp: //localhost/myapp.swf? v = 1 is denied due to missing permission policy file.
So it seems to me that the problem is that Twilio does not specify a "metapolicy". Is there a way to get around this?
source to share
localhost
and twilio.com
are not in the same domain, so of course you will get a security error. Twilio needs to add this node to the crossdomain:
<site-control permitted-cross-domain-policies="all"/>
Also, make sure your attachment is par:
allowscriptaccess = "always"
allownetworking = "all"
If Twilio won't update the crossdomain.xml, you can set up a proxy on the server hosting your flex app and grab the data through your proxy.
source to share