Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What to do about network failures when loading crossdomain.xml policy file?

I monitor (and log to server) most user errors in our flash game. Quite frequently I see security errors related to trying to make requests to a cross-domain URL (usually the Facebook Graph API). 99% of our players can make these graph API calls with no issues.

What I think is going on is that the client makes a request, but fails to load the crossdomain.xml file. I don't quite know how AS3 handles this in the case of a failure to load the crossdomain policy file...will it retry for every URLRequest made until it succeeds in loading it, or does it just give up forever? What's the "best practice" in response to a security error like this?

I am pre-loading the Facebook policy files once, ahead of time, like this:

// allow images to be loaded from facebook and facebook's cdn's.
Security.loadPolicyFile( "http://www.facebook.com/crossdomain.xml" );
Security.loadPolicyFile( "https://api.facebook.com/crossdomain.xml" );
Security.loadPolicyFile( "https://graph.facebook.com/crossdomain.xml" );
Security.loadPolicyFile( "http://profile.ak.fbcdn.net/crossdomain.xml" );

then I also have flash check the policy file again when making the URLRequest.

like image 273
Stu Avatar asked Sep 13 '11 08:09

Stu


People also ask

What is Crossdomain XML and why do I need it?

A cross-domain policy is simply a user-defined set of permitted data access rules encapsulated in a crossdomain. xml file. It is only viable on servers that communicate via HTTP, HTTPS, or FTP. A cross-domain policy file is an XML document that grants a web client permission to handle data across one or more domains.

What is Crossdomain XML file?

"A cross-domain policy file is an XML document that grants a web client—such as Adobe Flash Player, Adobe Reader, etc. —permission to handle data across multiple domains.". Taken from Adobe website http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html.


1 Answers

Here is a solution that appears to work.

Assuming you are using a URLLoader to read data from one of the domains that has a crossdomain.xml file and you are calling loadPolicyFile to preload crossdomain.xml, there is a chance that the load will fail, either from network connectivity issues or from a server being down, or from solar flares. When you set up your URLLoader, you can add an event listener for SecurityErrorEvent.SECURITY_ERROR. In the even listener, you can try loading the policy file again. The policy files get cached though, even when they fail to load (thanks adobe), so you'll have to add a cache busting query parameter.

Here is a simple example of how this would work:

public function loadMyFriends():void {
  var urlLoader:URLLoader = new URLLoader();
  urlLoader.addEventListener(
    SecurityErrorEvent.SECURITY_ERROR, handleSecurityError);
  urlLoader.load(new URLRequest('https://graph.facebook.com/me/friends'));
}

private function handleSecurityError(event:Event):void {
  Security.loadPolicyFile(
    "https://graph.facebook.com/crossdomain.xml?__cb"=Math.random());
  loadMyFriends();
}

In practice, you would probably want to limit the number of retries and maybe do an exponential back-off if it really is a network connectivity issue and not just a dead server that isn't being properly handled by a load balancer.

like image 52
pcardune Avatar answered Nov 15 '22 05:11

pcardune