The RPC Fault Security Error that wasn’t
In the first chapter of our upcoming book Professional Flex 3, I built a simple RSS reader in just a few lines of code to demonstrate how easy it is to build a Flex application. I expanded on this application in a few recent articles at Community MX, creating a mini RSS feed reader for all the book authors. All was well, until one of our tech editors Matthew Fabb, told me that the reader I built was producing a dreaded security error. Good catch Matt!
Here’s the original RSS reader code used in the book:
- <?xml version="1.0" encoding="utf-8"?>
- <mx:Application xmlns:mx="feed://http://www.adobe.com/2006/mxml"
- layout="absolute" creationComplete="RSSFeed.send();">
- <mx:HTTPService id="RSSFeed" url="feed://http//www.joeflash.ca/blog/feed/"/>
- <mx:List id="postTitles" labelField="title" left="20" right="20" top="20"
- dataProvider="{RSSFeed.lastResult.rss.channel.item}"/>
- <mx:TextArea htmlText="{postTitles.selectedItem.description}"
- left="20" right="20" top="190" height="200"/>
- <mx:Button label="Go to page" left="20" top="400"
- click="navigateToURL(new URLRequest(postTitles.selectedItem.link));" />
- </mx:Application>
I tried it locally, and no security error, of course. I loaded it onto my server, and I got the following error:
So I went back to the Community MX articles I’d written, and lo and behold, the security error occurred with those applications as well. Strange.
So I browsed a few Flash Player 9 and Flash Player 10 security articles, and updated my crossdomain.xml policy file. Still the same error.
So I dug. I checked a few security technotes, even placed crossdomain files in every subdirectory which may have an impact (even though I knew a policy file on the root of the server was sufficient). No dice.
So I created the most permissive crossdomain policy file I could build, which included all the required XML elements:
- <?xml version="1.0"?>
- <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
- <cross-domain-policy>
- <site-control permitted-cross-domain-policies="all" />
- <allow-access-from domain="*" secure="false" />
- <allow-http-request-headers-from domain="*" headers="*" secure="false" />
- </cross-domain-policy>
Still the security error. Okay, now it was serious pulling-out-of-hair time.
After a few deep breaths, and resisting the urge to throw large furniture, I did a walk around the block, and on my walk the solution came to me: maybe it was my feed URL?
I had appended all the feed URLs with “feed://” as I’d copied from my browser. So I deleted all these URL prefixes, so the feed read simply “http//www.joeflash.ca/blog/feed/”, and hot damn! It worked! In fact, after removing the policy file from the server as a test, and clearing the browser cache, I realized I didn’t even need the damn crossdomain file! Several hours later… sheeit. Major “DUH!” moment there… :)
So let my dumbass move be a lesson to you: don’t prefix your feed URL with “feed://” !!
Here’s the full RSS reader application, for anyone who’s interested:
- <?xml version="1.0" encoding="utf-8"?>
- <mx:Application xmlns:mx="http://www.adobe.com/2006/mxml" layout="absolute"
- pageTitle="Professional Flex 3 Team Blog Reader"
- creationComplete="RSSFeed.send()">
- <mx:Script>
- <![CDATA[
- import mx.managers.CursorManager;
- ]]>
- </mx:Script>
- <mx:ArrayCollection id="blogData">
- <mx:Object label="Joseph Balderson"
- data="http://www.joeflash.ca/blog/feed/"/>
- <mx:Object label="Peter Ent"
- data="http://weblogs.macromedia.com/pent/index.xml"/>
- <mx:Object label="Jun Heider"
- data="http://www.iheartair.com/?feed=rss2"/>
- <mx:Object label="Todd Prekaski"
- data="http://feeds.feedburner.com/SimplifiedChaos?format=xml"/>
- <mx:Object label="Tom Sugden"
- data="http://blogs.adobe.com/tomsugden/index.xml"/>
- <mx:Object label="Andrew Trice"
- data="http://www.cynergysystems.com/blogs/rss/andrewtrice"/>
- <mx:Object label="David Hassoun"
- data="http://david.realeyes.com/?feed=rss2"/>
- <mx:Object label="Joe Berkovitz"
- data="http://joeberkovitz.com/blog/feed/"/>
- </mx:ArrayCollection>
- <mx:HTTPService id="RSSFeed" url="{blogFeed.selectedItem.data}"
- invoke="CursorManager.setBusyCursor()"
- result="postTitles.selectedIndex=0;CursorManager.removeBusyCursor()"/>
- <mx:Panel id="reader" x="50" y="50" width="670" height="350"
- title="Professional Flex 3 Team Blog Reader" verticalGap="0">
- <mx:HBox width="100%" height="75%" top="0" horizontalGap="0">
- <mx:List id="blogFeed" width="150" top="0" bottom="0"
- dataProvider="{blogData}" selectedIndex="0"
- change="RSSFeed.send()" height="100%"/>
- <mx:List id="postTitles" labelField="title"
- top="0" bottom="0" left="{blogFeed.width}" right="0"
- height="100%" width="100%" selectedIndex="0"
- dataProvider="{RSSFeed.lastResult.rss.channel.item}"/>
- </mx:HBox>
- <mx:TextArea width="100%" height="25%" bottom="0"
- htmlText="{postTitles.selectedItem.description}" paddingTop="0"/>
- <mx:ControlBar>
- <mx:Canvas width="100%">
- <mx:Button label="Go to blog post" left="0"
- click="navigateToURL(new URLRequest(postTitles.selectedItem.link));" />
- <mx:LinkButton label="Buy The Book" right="0"
- click="navigateToURL(new URLRequest('http://tinyurl.com/profx3book'));" />
- </mx:Canvas>
- </mx:ControlBar>
- </mx:Panel>
- </mx:Application>
on October 20th, 2010 at 4:00 am
me too facing security error accessing url, even though i try to access data from same domain.
i tried cross domain policy file too, but its still throwing the same!
any idea to solve!
Thanks in advance!