Ted On Flash: Using Flash Player under HTTPS with Flex and Flash

Using Flash Player under HTTPS with Flex and Flash

DIGG IT! 12 Comments Published Wednesday, November 09, 2005 at 10:02 PM .

I have been recently working with the core team at Cynergy Systems on debugging an HTTPS file upload solution for Flex 1.5. It seems that the Flash Player has a port identity crisis when run under HTTPS leading to all sorts of errors. Here is the solution...

It seems that the security model of the Flash Player is very fine grained on a port level. When running a SWF file under HTTPS, the player can get confused about what port is actually in use. In a sense the sandbox of the HTTPS SWF file is not associated with the actual port that loaded the SWF and thus data access is problematic. The player has sort of an identity crisis internally and it cannot communicate with the domain/port that the SWF files was served from. The solution is to explicitly load a Cross-Domain Security Policy File when the SWF is loaded to correct the problem. The following code will fix the problem when running under HTTPS on port 443:

System.security.loadPolicyFile('https://flexdemos.cynergysystems.com/support/crossdomain.xml');

Note:

- View the contents of the crossdomain.xml file above denoting port 443's use.
- The policyfile is not loaded by defualt and must use loadPolicyFile in this case.

I have worked with Cynergy on 2 projects using HTTPS/Flex/WebServices and have used HTTPS with several other clients. All have reported strange data related errors in using HTTPS of a similar nature. Considering this solved the File Upload issue, I believe that it should be standard policy to load a policy file when using HTTPS. As this is a backward compatible solution as it does not require a player update as loadPolicyFile is supported in Flash Player 7 and higher.

If you have found strange behavior in working with Flash Player and HTTPS, use loadPolicyFile and kiss your issues goodbye.

Special thanks the Carson Hager, Jason Weiss, and Dave Wolf for debugging this important and business critical issue. It really is an honor working with such a fantastic team at Cynergy. The Cynergy core team is a group of industry leading developers from the core team who created Sybase PowerBuilder & EAP Server, and Microsoft BizTalk Server. They have been making rich applications long before the birth of the Flash Player and long before I started programming. I cannot wait to show the community the projects we are working on at Cynergy, the work is truly impressive.

HTTPS, Check!
FLEX, Check!
LoadPolicyFile, Check!
All systems a go, we are cleared for launch!

Cheers,

Ted ;)

12 Responses to “ Using Flash Player under HTTPS with Flex and Flash ”

# campbell November 10, 2005 12:17 AM

Have to book mark this on. Cheer for sharing the info :o). I bet it will be one of those things you hit your head against the wall about for ages then remember a post somewhere.
# fullejo April 24, 2006 11:50 AM

Can you post the xml file again? The link above isn't working correctly anymore :(
# JabbyPanda June 19, 2006 2:57 AM

?an you post cross-policy XML file again? We are hitting the similar problem, trying to make HTTPS working on the port 443.
# Damon Smith September 27, 2006 9:14 AM

I'd like to see that cross domain policy file too now.
I'm having a similar problem, where upload works fine from IE over SSL (no policy file required), and works in firefox over non-SSL, but fails with an IOError (and no other info) with firefox over SSL.

You mysteriously hint at specifying the port number in this posting, but I tried everything I could see was possible given the DTD, and nothing made it work with FF and SSL. Hence, I'd love to see what that policy file said, just in case it contains the magic fix for this painful problem.

thanks,

Damon Smith
# Michael White October 22, 2006 2:22 PM

how would you use this with coldfusion Flash Form upload? I have a modified version of ASFusion's code but it doesn't work with https
# Anonymous November 7, 2006 1:17 PM

The Cynergy URL no longer works. Can you include a working URL or the actual working crossdomain.xml file?
# Anonymous November 11, 2006 12:28 AM

We too have the same problem making firefox work with https uploads...
We tried with a crossdomain file but it seems that the plugin cannot load it (and we cannot trap the error returned).
Any clues ?
# danieltalsky June 15, 2007 12:54 PM

I won't post the location of the file, but I found it with a little searching. This is the whole of the file:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>
# Seth Caldwell October 16, 2007 12:43 PM

This post has been removed by the author.
# Seth Caldwell October 16, 2007 2:06 PM

Actually, I believe it was supposed to be:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" to-ports="*" secure="false" />
</cross-domain-policy>

however, that did not make ssl work for me under firefox =(
# Fernanda Gomez June 19, 2008 9:01 AM

Thanks for sharing
# CH September 25, 2008 2:15 PM

Were you able to resolve the ssl issue with Firefox. I have the same issue.

Thanks