Flex In a PDF, Policy Files and RemoteObjects

I have started experimenting with delivering SWFs via PDF and have been beating my head against handling the crossdomain.xml policy file. The various permutations to my code have consistently pointed in one direction: one cannot use a non-default location for the policy file when accessing resources via an AMF-Channel. (this only applies to release builds; the security context of debugging is different, so you won't run into this problem there)

This may be a duh-moment for some as it does reveal my ignorance of the whole setup of the <RemoteObject> object. Specifically, is it a socket connection? This question is worth asking as:

In addition, in order to authorize socket connections, an HTTP policy file must come only from the default location of the cross-domain policy file, and not from any other HTTP location. - From the Adobe Livedocs, Overview of permission controls

The goal was to minimize the permissiveness of the web site by only allowing a sub-folder hierarchy to give access to everyone. The policy document for that looks like this:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<allow-access-from domain="*"/>
<allow-http-request-headers-from domain="*" headers="*"/>

So, my plan was to put that document in the sub-folder. In the root, I wanted to have the freedom to be more restrictive:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*.shortfusion.com"/>
<allow-http-request-headers-from domain="*" headers="SOAPAction"/>

So, in this case, I am limiting access only to sub-domains of Shortfusion.com, but the <site-control permitted-cross-domain-policies="all"/> tag with the permitted-cross-domain-policies set to all should have clued flash player (version 10 in my testing) that it's ok to use the sub-policy file.

In my application, I finally wound up testing a scenario where I tried to load the non-default policy file in three different locations: in-line, on creationComplete, and preceding any call to the remote object.

<?xml version="1.0" encoding="utf-8"?>
<mx:Application xmlns:mx="http://www.adobe.com/2006/mxml"

<mx:RemoteObject id="myRO" destination="ColdFusion" source="supporting.pdftest.cfcs.test" showBusyCursor="true" >
<mx:method name="square" result="doGetSquare(event)" fault="Alert.show(event.fault.message);" />
import mx.rpc.soap.LoadEvent;    
import mx.rpc.events.ResultEvent;
import mx.controls.Alert;
import mx.utils.ObjectUtil;


public function getSquare():void {

private function doGetSquare(e:ResultEvent):void {

public function setup():void {


<mx:NumericStepper id="inputNumber" value="1" minimum="0" maximum="1000" left="10" top="10"/>
<mx:Button label="Get Square" click="getSquare()" left="100" top="10"/>

error: send failed, 2048 No matter when I attempted to load the policy file, the results were always the same: faultCode:Client.Error.MessageSend
faultString:'Send Failed'
faultDetail:'Channel.Security.Error error Error #2048 url:

So, I will try to investigate this further, but the present conclusion I have drawn is that <RemoteObject> calls on different domains require a permissive policy file located in the default location, i.e., in the root of the domain.

In the end, for my blog site, I really don't care if my crossdomain.xml policy file is loose. However, I can see where this might be a problem in other environments. Everything seems to work fine now that the default policy file has been updated.

One last thought worth mentioning, in the case of delivering swfs via pdf. When you view the pdf from a web site, that is, when you click a link to the document and acrobat launches in the context of the browser, all of the above is moot. In that case, the player in acrobat knows it came from the same domain as the target service, assuming that this the case, and doesn't bother looking for the policy file. The problem comes when the file is saved and then re-opened locally or was distributed in some other way right from the beginning. In those cases, the flash player in acrobat has no connection to the remote server and starts looking for policy files to know what is allowed.

Happy happy joy joy.

Comments (Comment Moderation is enabled. Your comment will not appear until approved.)
BlogCFC was created by Raymond Camden. This blog is running version Contact Blog Owner