Security Sandbox Violation, can't connect to S

2019-02-18 10:07发布

问题:

Before I start I should state I have read it all, I was following this, this and this (and more...) and still I cannot connect to our running server via Socket over the internet.

Here is what I try to in AS3:

        var host :String = "192.168.2.11";
        Security.allowDomain(host);
        Security.allowInsecureDomain(host);
        Security.loadPolicyFile("xmlsocket://" + host + ":" +  "843");

        // TTS server socket
        _socket = new Socket();
        _socket.addEventListener(Event.CLOSE, handleClose);
        _socket.addEventListener(IOErrorEvent.IO_ERROR, handleError);
        _socket.addEventListener(SecurityErrorEvent.SECURITY_ERROR, handleSecError);
        _socket.addEventListener(ProgressEvent.SOCKET_DATA, handleIncomingData);
        _socket.addEventListener(Event.CONNECT, handleConnect);
        _socket.connect(host, 1337);

As you can see, the host is a local address, but that shouldn't matter as long as I am in this local network. And I am, since this does work from my IDE (FD4). Also, the swf is on the same server as the application it tries to connect to, but on another port.

The policy file the server sends (we have tried both from port 843 and 1337) is the following:

<?xml version="1.0"?> 
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> 
<cross-domain-policy> 
    <allow-access-from domain="*" to-ports="*" /> 
</cross-domain-policy>

We can see from the log output of the server that this is really sent to the connecting socket. A null byte is of course sent after the xml data. And after that, the server closes the connection. However, it seems that Flash somehow does not like it, as "Error #2048" still appears after ~3 seconds.

We're really out of ideas here...

回答1:

We managed to get it to work by including another tag:

<site-control permitted-cross-domain-policies="master-only"/>

It seems that this tag is necessary in order to get it to work. We could not get it to work without that tag, no matter which port we tried.

So the complete xml now looks like this in our case (it is of course easy to modify to fit any case):

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only"/>
   <allow-access-from domain="*" to-ports="*"/>
</cross-domain-policy>

It really is a shame that this line is not included in Adobe's own example (!!). I mean, it IS included in the example files, but not in the article. I don't want to know how many people were stuck at this stage because of that...