Hi guys,

I'm trying to set up the simple moo.flxhr demo on my machines and created a flxhrtest.php which is a copy of the Demo #7g

http://www.tarantl.com/js/flxhrtest.php (this is the same folder where the js, swf... files are.

The requests are trying to load
http://www.vodkadoctors.at/captFuture/textme.php

and the crossdomain.xml is here
http://www.vodkadoctors.at/captFuture/crossdomain.xml

... i always get a
Error: 15
Type: securityError
Description: A security sandbox error occured with the flXHR request.
Source Object Id: flXHR_1

... it is not a browser issue because it does not work on any browser

please help
Thanks a lot

Flash requires (at a minimum) that a root crossdomain.xml file be present. This means there must be a crossdomain.xml file exactly at the domain root of whatever remote server you are targetting.

That would mean you'd need to have:

http://www.vodkadoctors.at/crossdomain.xml

You can have other custom policy files in other locations (like the one you specify in your sub-directory) if you want, but you must at least have the root policy file.

i just copied crossdomain.xml to the serverroot
-> i still get the same error

cheers

Two things:

1. In *only* your root crossdomain.xml, you'll need to state whether or not you allow other policy locations... otherwise your subdir one will get ignored by default.

This is done with the clause:

<site-control permitted-cross-domain-policies=" ... " />

"all" will allow custom locations. the default is "master-only" which of course only allows that same root policy file. I'd recommend "all" if you are in control of the whole file system. If it's a shared system where you don't control all the content, then "master-only" is safer.

2. You don't have a headers clause:

<allow-http-request-headers-from domain=" ... " headers=" ... " />

The domain should probably match whatever domain you put in for the "allow-access-from" clause. "headers" is either "*" for all headers, or a comma separated list of the headers you want to allow. I'd highly recommend "*" unless there's a specific reason to lock this down more.

If you do lock it down to specific headers, remember that many Ajax frameworks (including I think mootools) try to send out certain request headers (like "Content-type" and "X-Requested-With", etc), which will cause a security error if you aren't specifically allowing all of them.

flXHR also sends out a "pragma:no-cache" header by default, to try and prevent caching. To turn off that specific behavior in flXHR, you have to set "noCacheHeader:false" in your flXHR instantiation configuration.

For instance, to accept all X-yyyyyyy type custom request headers, you could do this:

<allow-http-request-headers-from domain=" ... " headers="... , X-*" />

Thanks for your "hints". I tried several things now, but there is still the same issue.
Firebug shows me some script errors like:

- y.base_path is undefined
- y.checkplayer is undefined
- E.attachEvent is not a function
- E.detachEvent is not a function

Is it correct that
<allow-access-from domain="*" headers="*" /> should allow everybody to get the content from the website? If yes, then maybe someone could try to access
http://www.vodkadoctors.at/captFuture/textme.php on my server to get a response.

Thanks in advance

Your root policy file looks like this:



It should be more like this: