How to use crossdomain.xml for my flash project…?

Question

This drives me crazy...I am trying to build a youtube player with flash and everytime I load a video, there is a runtime security sandbox error..I already put crossdomain.xml in my root server http://mysite.com but I am still getting the errors...Do I miss something? Do I have to load it into my flex project??Thanks for the reply...

My crossdomain.xml

<!-- <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
    <cross-domain-policy>
       <allow-access-from domain="*.youtube.com"/>
        <allow-access-from domain="s.ytimg.com"/>
    </cross-domain-policy> 
 -->

Edit: 20100811T0723; this is the actual XML from http://popslinger.org/crossdomain.xml

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-    policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

Answer 1

I get a lot of errors too but they generally seem to be on YouTube's side

Here's an example:

*** Security Sandbox Violation ***
SecurityDomain 'http://www.youtube.com/apiplayer?version=3' tried to access 
incompatible context 'http://s.ytimg.com/yt/swf/apiplayer3-vfl181412.swf'

As you can see, these are both YouTube domains

So I had a look at YouTube's own crossdomain policy files. It turns out that those files need to be updated. Read the following: http://www.adobe.com/devnet/flashplayer/articles/fplayer10_security_changes_02.html#head1

Here is the policy file from s.ytimg.com

<cross-domain-policy> 
  <allow-access-from domain="*" /> 
</cross-domain-policy>

which throws the following warning

Warning: Domain s.ytimg.com does not specify a meta-policy. Applying default meta-policy 'master-only'. This configuration is deprecated. See http://www.adobe.com/go/strict_policy_files to fix this problem.

and here's what it should look like

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"/>
<allow-access-from domain="*"/>
</cross-domain-policy>

Here's another warning:

Warning: Domain video-stats.video.google.com does not explicitly specify a meta-policy, but Content-Type of policy file http://video-stats.video.google.com/crossdomain.xml is 'text/x-cross-domain-policy'. Applying meta-policy 'by-content-type'.

It looks like YouTube should look into this, all these warnings and security error messages are pretty annoying.

Practically speaking, have a look at the errors, if your domain name doesn't appear anywhere, your crossdomain file is working fine.

Answer 2

This is not how crossdomain files are designed to work. You having a crossdomain file on your server does absolutely nothing to allow Flash to retrieve data from YouTube. Also, are you retrieving the AS3 Chromeless Player such that you abide by the terms of service or are you URL scraping to ultimately retrieve the mp4/flv?

Answer 3

Page Not Found - 404 Error Page The page you are looking for (http://mysite.com/crossdomain.xml) is not here.

Make sure your web server is configured to dispense XML files. IIS does not, by default. Steps to enable it can be found here: http://dannythorpe.com/2008/03/16/serving-rss-on-iis/

Answer 4

If that's your actual XML file, it seems it's commented out.

Remove this:

<!--

and this:

-->

PS: Ok, the file can be loaded and has content. Maybe your problem is somewhere else?

What this file does is granting any swf served from any youtube.com subdomain or the domain s.ytimg.com permission to load data from popslinger.org. This has a chance of working if your problems are caused by content served from youtube trying to access data served from your domain. Is that the case?