Security sandbox violation

[christianl]

Hi,

I'm having real trouble getting web-socket-js to connect to my WebSocket server.

I'm using em-websocket for the server. It is running at http://192.168.0.179:5000, with a web server (hosting WebSocketMain.swf) also running at http://192.168.0.179:3000.

When accessing the page locally (Mac OS X, any browser), everything is fine and web-socket-js works perfectly. However, when accessing the site from another machine in the network (Windows, both Chrome and IE9) I get the following log using the debug version of FP (tried both FP 10 and 11):

LOG: [WebSocket] debug enabled LOG: [WebSocket] policy file: xmlsocket://192.168.0.179:843 [WebSocket] cannot connect to Web Socket server at ws://192.168.0.179:5000/websockettest (SecurityError: Error #2048: Security sandbox violation: http://192.168.0.179:3000/assets/flash/WebSocketMain.swf cannot load data from 192.168.0.179:5000.) make sure the server is running and Flash socket policy file is correctly placed LOG: [WebSocket] closed

Now, I'm using tcpdump on the server and it doesn't even try to connect to 192.168.0.179:5000, nor does it try to connect to 192.168.0.179:843 even if I have a policy file server up and running (I've tried both having and not having a policy server at this port open; in either case, it doesn't work, however, when I access the page on the .179 machine it does connect to the policy server if it's running. If, however, I put the (as liberal as possible) policy file on the web server and direct web-socket-js to load it from there, it is loaded, but the problem still persists).

When switching to native websockets in Chrome, the site works fine on the other machine, so 192.168.0.179:5000 is definitely open. There is no firewall between the two machines and all ports are open.

web-socket-js configuration:

window.WEB_SOCKET_SWF_LOCATION = "/assets/flash/WebSocketMain.swf"; window.WEB_SOCKET_FORCE_FLASH = true; window.WEB_SOCKET_LOGGER = null; window.WEB_SOCKET_DEBUG = true; window.WEB_SOCKET_DISABLE_AUTO_INITIALIZATION = false; window.WEB_SOCKET_SUPPRESS_CROSS_DOMAIN_SWF_ERROR = false;

Does anyone know what might be the problem? Very happy for any hints, I'm desparate :)

[gimite]

Hmm I have no idea what's wrong. See "Troubleshooting" section of: https://github.com/gimite/web-socket-js/blob/master/README.md for general troubleshooting. A few things which may be worth trying:

• Write some script to connect to 192.168.0.179:843 from the the machine the browser is running, to check if it can load the policy file. Because your symptom sounds like the connection to port 843 is blocked by something (or only open to local host).
• Put your HTML file (which uses web-socket-js) and WebSocketMain.swf on the same domain, same port, HTTP (not HTTPS) if you haven't.
• Make sure the browser doesn't use any proxy. web-socket-js doesn't support proxies.
• Put your HTML file and WebSocketMain.swf on port 80 (though it should work on any port)

[christianl]

Hi again,

Thanks a lot for your reply. I tried everything with no luck, but eventually I found the problem:

On the Windows machine I was running, there is a mms.cfg file (global flash player config) which sets DisableSockets=1. This causes FlashPlayer to ignore all requests for policy files and security error #2048 occurs.

I'd like to detect this situation in order to give a warning to users. I'm not sure it's the right way but I will create a pull request so you can take a look.

PS - Thanks for web-socket-js, great work!

[gimite]

Oh I see. Good to know.