Can a SWF (using URLLoader) access HTTPS webservice?

Question

I have a fla (using ActionScript 3.0) I am compiling in Flash. I am using URLRequest and URLLoader to access a http webservice.

var loader:URLLoader = new URLLoader();     
var request:URLRequest = new URLRequest("http:test.webservice.com");    
try {
   loader.load(request);
} catch (error:Error) {
   trace("Unable to load requested document.");
}

This works fine - however if I try and access a https address I get

httpStatusHandler: [HTTPStatusEvent type="httpStatus" bubbles=false cancelable=false eventPhase=2 status=0]
ioErrorHandler: [IOErrorEvent type="ioError" bubbles=false cancelable=false eventPhase=2 text="Error #2032: Stream Error. URL: https://test.webservice.com"]

How can I retrieve data from a https web service? Does the SWF have to be hosted on a SSL secured page?

Answer 1

If you install the flash debug player, you'll probably see the following in the log:

** Security Sandbox Violation ***
Connection to https://www.example.com/service/ halted - not permitted from http://www.example.com/your.swf

Error: Request for resource at https://www.example.com/service/ by requestor from http://www.example.com/your.swf is denied due to lack of policy file permissions.

By default a swf hosted in a http cannot access https --it's considered a different domain.

You'll need to set up the appropriate crossdomain.xml policy file, with care to verify the Content-Type is text/* or another whitelisted value. Additionally, you'll need a meta-policy file with "secure=false", which will allow https to be accessed from http.

  <allow-access-from domain="www.example.com" secure="false" />

Further reading:

Policy file changes in Flash Player 9 and Flash Player 10

Answer 2

Check the crossdomain policy in the actionscript documentation.
http://kb2.adobe.com/cps/142/tn_14213.html

A secure server that allows access to movies hosted via a non-secure protocol

It is not advisable to permit HTTP content to access HTTPS content. This practice can compromise the security offered by HTTPS.

However, there may be cases where legacy Flash content is allowed access to data of a HTTPS site. With Flash Player 7, this is no longer allowed by default. To permit access to HTTPS data by Flash movies served via HTTP, use the secure attribute in a "allow-access-from" tag and set it to false.

 <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">


        <cross-domain-policy>


        <allow-access-from domain="www.company.com" secure="false" />


        </cross-domain-policy> 

It is saved as crossdomain.xml and placed on the site root of the HTTPS server.