search

daogr / facebook-actionscript-api

Automatically exported from code.google.com/p/facebook-actionscript-api
0 stars 0 forks source link

Security Sandbox Error when calling Facebook API after loading in as an external swf #317

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?

1. Load index.html from domainA.com
2. index.html loads myswf.swf from domainB.com
3. myswf.swf loads facebook.swf (e.g. the facebook actionscript api) from 
domainB.com
4. myswf.swf calls Facebook.init
5. Security Sandbox Violation: SecurityDomain 'http://domainA.com/index.html' 
tried to access incompatible context  'http://domainB.com/myswf.swf'

The problem here is that the facebook api swf needs to explicitly allow 
domainA, it doesnt matter if you're calling Security.allowDomain("domainA.com") 
from myswf.swf, the call needs to be made from the facebook api swf which has 
been loaded in. Otherwise when the facebook js callback comes back it throws 
the security error.

I fixed this issue by adding the following to the Facebook class:

public static function allowDomains(domains:Array):void {
 Security.allowDomain(domains);
}

Then just call Facebook.allowDomains(["domainA.com", "domainB.com"...]) before 
attempting any api calls

Original issue reported on code.google.com by paul.gam...@gmail.com on 17 Jun 2011 at 12:03

GoogleCodeExporter commented 9 years ago 
Note by 'fixed' I mean locally, I am not a contributor to the project.

Original comment by paul.gam...@gmail.com on 17 Jun 2011 at 1:48

GoogleCodeExporter commented 9 years ago 
Adding an extra method to the Facebook class that just maps your domains to the 
Security.allowDomain method seems redundant. It's also not really a problem 
with the Facebook Graph API in itself but rather just cross domain issues. 
Marking as WontFix.

Original comment by rovertn...@gmail.com on 20 Jun 2011 at 3:33

GoogleCodeExporter commented 9 years ago 
Recommend you test the scenario I mentioned. It is indeed not a problem 
specific to the facebook API, just any externally loaded SWF with crossdomain 
callbacks, and if you compile the API into your swf rather than load it in it 
wouldn't be an issue. But I would expect that this kind of crossdomain setup is 
pretty common, especially when using a CDN as we are, and as the API is 
unusable in this situation without it, it seems worth adding. At least those 
having this problem should be able to find this post.

Original comment by paul.gam...@gmail.com on 20 Jun 2011 at 3:46