Why is Flash demanding a crossdomain.xml file when the .swf and http target are both on localhost?

Question

I've got a small client/server test application where I have a Flex app that makes an HTTP request of a server app. The server app is a script running on my local machine, listening on port 8001. The client is a swf that I am running locally, and uses mx.rpc.http.HTTPService to make the page request.

The HTTPService is being set up as per below:

_HttpService = new HTTPService();
_HttpService.url = "http://localhost:8001";
_HttpService.contentType = "text/xml";

When I make a basic page request, my server app is first receiving a "GET /crossdomain.xml HTTP/1.1" request, which is failing since I don't have a crossdomain.xml file in place. The reason I don't have one in place is because this is all happening on my local machine (for now) and I shouldn't need one (I don't think).

I definitely had this code working before without a crossdomain.xml when I was using Flex 3.x. I thought I had it working with Flex 4 as well. Now I'm using Flex 4.5. Is there an issue here, possibly due to security policy changes?

With all of this happening on localhost, why is the Flash player requesting a crossdomain.xml file?

In case it helps, the specific fault my AsyncResponder is getting back is:

[FaultEvent fault=[RPC Fault faultString="Security error accessing url" faultCode="Channel.Security.Error" faultDetail="Destination: DefaultHTTP"] messageId="F43DCBFF-E99A-99CC-57D8-535C13C7CD48" type="fault" bubbles=false cancelable=true eventPhase=2]

Answer 1

It may be that although you have the same host and protocol between the client page and server, the different port causes Flash to fail the same-origin test and request the crossdomain.xml to see what it's allowed to do. I'm assuming the page hosting your Flash content is running on port 80? If that's the case, check out Wikipedia's article on the same origin policy (http://en.wikipedia.org/wiki/Same_origin_policy) for the details.

The crossdomain.xml doesn't seem to be too cumbersome for local testing and is pretty well documented on help.adobe.com. You can create a crossdomain.xml in the root of your website like this, which will allow all access:

<?xml version="1.0"?> 
<!-- http://localhost/site/crossdomain.xml --> 
<cross-domain-policy> 
    <site-control permitted-cross-domain-policies="all"/> 
    <allow-access-from domain="*" to-ports="*"/> 
</cross-domain-policy>

I wouldn't use the above for anything other than local development as you're basically allowing any domain to request content.

Hope this helps!

Answer 2

Using the policyfile.txt I figured out that the policy file was denied because there was no Content-Type specified by the server. This explains why it was impossible to find anything blogged about it.

Hope this helps someone.

In Flex 4.5 Mac /Users/[YOUR_USER_NAME]/Library/Preferences/Macromedia/Flash Player/Logs>tail -f policyfiles.txt