Flex error : #2049 Security sandbox violation

I was having a problem today with a Flex app that uploads images using a coldfusion file. The situation was that web users could hit this website using two separate domains (i.e. - myCoolSite.com vs. myKoolSite.com).

The application file had a variable that would specify the domain name, and I would build the ActionUrl for the Flex app using this domain name. The Flex application would bomb (only in IE for some reason) when the action page url was not the same domain as the one they came in on (which the Flash SWF url was at). Keep in mind that its the exact same site on the server.

The Flex error was #2049 Security sandbox violation: _ cannot upload data to.... This states the Url is bad. Not so. The app was just having problems using the url on a different domain. So, I changed the code that builds the ActionUrl based on the current domain, and voila! Problem solved.

Simple code to create ActionUrl is below:

<cfif cgi.https IS "on">
   <cfset httpValue="https://">
<cfelse>
   <cfset httpValue="http://">
</cfif>
<cfset uploadActionStringUrl = "#httpValue##cgi.HTTP_HOST#/myFileContainingCFFILE.cfm">

Happy Turkey Day everyone! Be safe.

Comments (Comment Moderation is enabled. Your comment will not appear until approved.)
Dan Wilson's Gravatar David,

This is a very interesting way to handle the situation.
I've also seen a similar technique used when the application owners want certain kinds of traffic to load through a specific domain so the website analytics will refer to only 1 website, rather than what would seem to be two different websites to the analytics engine.

The same goes for a website who wanted to strengthen their page rank.

Should you want to get around the security problem in flash, you can also use a crossdomain.xml file. As you probably know, promiscuous crossdomain.xml files can lead to application insecurities. I've written an article showing how to protect a subdirectory. You can find the article here: http://ria.dzone.com/blogs/dan/2008/01/24/how-i-en...

DW
# Posted By Dan Wilson | 1/27/08 11:17 AM
BlogCFC was created by Raymond Camden. This blog is running version 5.8.001.