Flash 9 Policy Files, or “How I Got Rid of That Damn Error #2048!”

I ran into a very interesting Flash issue. I had a Flash form that was being hosted on Server A. It was submitting data to a PHP file on Server B, then receiving the results from that PHP file (whether the form was processed correctly). Server B had a crossdomain xml file set up, and I had my security permissions properly set up, but I kept getting a security error (Error #2048) no matter what I did. Needless to say, this was making me want to play with large-calibur weapons.

The solution lay in this well-hidden article on Adobe’s site. In essence, the article states that they’ve made Flash’s security settings even more strict, and that means that in some situations, you need to change things around in order to make sure that Flash will accept your policy file. I set my computer up with Flash 9 debugger version, set it up to log policy errors, and then looked at my policy file log which revealed the problem: Server B was returning the crossdomain xml file as Content-Type “application/x-httpd-php5-source”. With Flash 9′s newer, stricter settings, Flash 9 will only accept policy files of the following content-types:

  1. text/* (any text type)
  2. application/xml or application/xhtml+xml

As soon as we changed the crossdomain’s content-type, the Error #2048 went away and the form processed correctly!

So the upshot is that if you’re getting Error #2048 notices and you can’t get them to go away no matter what you try, follow the steps outlined on this page at Adobe. Once you’ve set your computer up to debug and log your policy files, you’ll be able to check and see if a policy file content-type problem is causing your troubles.







16 Responses to “Flash 9 Policy Files, or “How I Got Rid of That Damn Error #2048!””

Thank you very much

I have not slept for several nights to solve this problem!

anvi added these pithy words on Sep 28 08 at 4:46 pm

Awesome — glad I could help!

Eric Oliver added these pithy words on Sep 28 08 at 5:58 pm

I ran into the same problem with missing Content-Type, I tried to change that for crossdomain using htaccess as follows:

ForceType application/xml

with no luck, I even used loadPolicyFile(“http://”+host+”:”+port+”/crossdomain.php”) where that php file returns the actual crossdomain with modified content-type as follows:

after all, I’m still having the same error in policyfiles.txt:
Error: [strict] Ignoring policy file at http://host:port/crossdomain.php due to missing Content-Type.

can you please help and tell me how did you changed the crossdomain’s content-type ?

your article is extremely helpful anyways ..

xVisage added these pithy words on Nov 30 08 at 7:37 am

fix @ the above comment:

loadPolicyFile(”http://”+host+”:”+port+”/crossdomain.php”) where that php file returns the actual crossdomain with modified content-type as follows:
header(‘Content-Type: application/xml’);
readfile(‘crossdomain.xml’);

xVisage added these pithy words on Nov 30 08 at 7:40 am

@xVisage — Thanks very much for posting your fix! The server I was working with was ASP so it’s great to have the PHP solution.

Eric Oliver added these pithy words on Nov 30 08 at 11:34 am

I have this problem on a game on website: http://www.the-west.net/index.php.

The error looks as follows:
Flash reported an error: “Security error: Error #2048: Security sandbox violation: http://en7.the-west.net/flash/battle/fortbattle.swf?1259785987930 cannot load data from en7w1.tw.innogames.net:1582.

I can’t find the location of the crossdomain file on my computer and I also don’t understand where should I run the java commands which is written in this page. when I write this commands in the browser, it turn to google.

Tal Mazor added these pithy words on Dec 02 09 at 2:31 pm

@Tal

Hey there! It sounds like there are a couple points which you’re confused on here. First, I’m not sure what java commands you’re talking about — if you’re talking about the instructions on Adobe’s site to set up a policy file log, then you’re really only editing text files (so you shouldn’t be entering anything into a browser). Maybe if you tell me exactly what step you’re having trouble with, I can help more.

However, that may be moot, since if I look at the error you posted, it looks like you’re trying to load data from the domain “innogames.net” into a SWF that’s running on the domain “the-west.net”. If that’s the case, then the crossdomain policy file needs to be on the server innogames.net, not on your computer. You’ll have to contact whoever controls that domain and make sure they put the crossdomain policy file up there.

Eric Oliver added these pithy words on Dec 02 09 at 4:29 pm

If the cross domain file looks like the following, where/how whould you add the content type?

Carlo added these pithy words on Jun 21 10 at 1:15 pm

@Carlo – Sorry, the example didn’t come through — can you try copying & pasting again?

Eric Oliver added these pithy words on Jun 21 10 at 1:34 pm

I pasted again below, let me know if it doesn’t go through again and I can email it to you:

Carlo added these pithy words on Jun 21 10 at 2:37 pm

@Carlo

Yeah, unfortunately this theme is a little old and doesn’t support code in comments. Guess I need to get off my ass and upgrade my side :)

You can go ahead and email it to me, but I realized something looking at your comment: You do not add the content type to the crossdomain file itself. Instead, this is a setting that is configured on the server level. In essence, you need to set a MIME type for the crossdomain file. Here’s a good article on configuring MIME types from Mozilla: https://developer.mozilla.org/en/properly_configuring_server_mime_types

Eric Oliver added these pithy words on Jun 21 10 at 3:52 pm

Thanks anyway, we checked with Firebug and sure enough the content-type was text/xml.

The issue turned out to be that while server A is an http(non-SSL) server, server B is https.
When we deployed the app on an https site the error disappeared.

Carlo added these pithy words on Jun 22 10 at 1:53 pm

Good to know that that’s another issue to take into consideration — thx!

Eric Oliver added these pithy words on Jun 22 10 at 9:51 pm

do not forget to clear your browsers caches after you make changes from your crossdomain.xml…

omg it took almost 3 hours and lots of hairs from my head to realize that browser (and flash) still uses the old crossdomain.xml

***k! lol

tolga added these pithy words on Aug 12 11 at 1:42 pm

Don’t you just love caching?!? :P

Eric Oliver added these pithy words on Aug 12 11 at 1:44 pm

Finally fixed this after a full day’s work. Turns out it wasn’t the content-type for me but the host name doing a 301 redirect (getting rid of the www in the address).

http://www.adobe.com/devnet/flashplayer/articles/fplayer9-10_security.html

A lot of those problems seem to cause #2048 as well as content-type.

ThatSnail added these pithy words on Sep 29 11 at 5:04 pm

Leave a Reply