Shared publicly  - 
Flash security sandbox i HATE YOU :

Anyone knows if it's possible to serve a socket policy file from port 80 ?
Philippe Elsass's profile photozwetan kjukov's profile photoPatrick Le Clec'h's profile photo
What are you trying to do? Can't your socket server return the policy file like with other ports? Or are you trying to do http requests directly from flash?
+Philippe Elsass I have written some rest api with different http status + message that come with them.
On JS side with Ajax call no problem all work, so i wanted to reuse these api from flash and it was not possible to get the data back with the different http status, hmm...
Ok so let'use an httpClient to get the data back, boom another problem the need of a policy file on port 443 and i can't have more right on the customer server.
So what Adobe are thinking not using standard !! and why i will ever need a policy socket to discuss on port 80.
+zwetan kjukov Thanks But i have no access to port 843 and i have tested the loadPolicyFile from port 80 without luck (i even don't know if it can succeed as there is the webserver running on that port)
Well you left a lot details out so hard to help you...

Why do you need to access a REST API outside port 80 ?

From where are you initiating the request ?
Local SWF ?
Online SWF ? Same domain as the server ?


Did you try to debug with mm.cfg and see the security/policy logs ?

You say you decided to use an httpclient because you could not get the http status but did you try to use headers instead of status ?

Can you show the code of the client on pastebin or something ?

tons of stuff you don't say that could influence wether it can work or not
+zwetan kjukov Sorry to left out important details :

- All request are done on the same domain
- data receive are in JSON
- api reside in /api/xxx/yyy
- flash website reside in /site/...

For example API forget-email :
=> /api/site/forget-email/
so the API check the validity of the email and can send back status 401, 500, etc with a message that indicate what was the problem otherwise a 200 status OK is sent with a message.

So my first test was with URLLoader to query an API
=> status 200 all good i have my message
=> other status... how do i get my message back

So after research i have seen that it was not possible to get the data back for other http status.

I have found this as3 httpClient lib :

test code i used for the httpClient :
and tried to use it , but i had the xmlsocket server error because no policy file were found.

So i tried to load it manually Security.loadPolicyFile("xmlsocket://xxx
yyy:80") without luck because i don't even know if it's possible to serve the file from the HTTP stack.

So instead of reusing my APIs i have to write new one only for the flash client

(I have not yet tried to debug the policies)
Is that because of the port number that your socket server doesn't receive the <policy-file-request/> message from Flash to serve the policy file?
Could you server also serve on a higher port?
+Philippe Elsass Well I m trying to see if i can get the request from the http server on my TEST server but i doubt since it's not a http protocol that is used for the <policy-file-request/> .

But on PROD server I can't have nothing else than a standard webserver running on the standard port 80/443
ok now I understand the problem :)

yes for Flash forgot to get the correct HTTP status code, even if it was working (I heard it could) that would be not working with ALL the browsers or configurations.

so yeah using as3httpclient to be able to get those status is one way of doing
but then you need to be able to either open the port 843 or do other things on the server that need admin access

you could change the outpout of your REST API to compensate for the HTTP status problem


and server side instead of being fully REST, you could return a TEXT file, XML, or a JSON structure, whatever works for you so yoru Flash can read it

see few URLs tackling the problem

and from Adobe
Then it's no luck - you'll have to change your service responses to always return status 200...
well if you have access to port 443 then it's possible to "unlock" the socket

just have some socket policy server listening on 443
and force

by default, there is a check on port 843 no matter what,
but if no response then your Security.loadPolicyFile() call is used

don't try to handle that with a "normal" HTTP server like Apache,
because when receiving "<policy-file-request/>" Apache will see that as a malformed HTTP request

use perl, php, python, ruby, redtamarin ;)
anything that can just send the socket policy over a socket

and be sure to allow the access to the port 80 in the policy file
Thanks both of you.

+Philippe Elsass Yes i will end up using http 200 for flash client.

+zwetan kjukov I already have the possibility to return different data type from the APIs json/xml/csv/...

Next time my APIs will be more basic so i didn't loose time, Grr...

We should not be forced to use a policy file for an access to port 80
Add a comment...