(303) 819-3968

Fixing Flash Player and External API sandbox issues using PHP & AS3

When we created the mobile QR code creator for Scan Our Business, Inc we ran into some complications with Flash player’s security settings.  After looking around the web I didn’t find any good explanation on how to fix this except for one post tell me to basically bridge the api from my own server.  It was actually very easy to do once I figured out what needed to be done.  In this example I was working with the charts api, but it would work the same way on any external sites api that is missing a cross domain file.

This is the error code I was getting back from Flash, *** Security Sandbox Violation ***Connection to https://… halted – not permitted from http://…swfError: Request for resource at https://… by requestor from http://…swf is denied due to lack of policy file permissions.

I did not make sample files for you since this tutorial is very simple. You will need to create each of these files for your specific use.

The First file we will create is bridge.php This is a very simple file it just passes vars to the external api and echos the results back to flash.
echo file_get_contents('https://chart.googleapis.com/chart?chs=500x500&cht=qr&chl=http://your-domain/'.$_GET[external_url]);
echo "url not provided.";

Upload bridge.php to your web server. Instead of …googleapis.com you could use any api that returns results based on a url string. Notice we hardcode http://your-domain/upload-location/bridge.php so others can’t use the bridge for their site. You can test this file by passing the needed $_GET vars to it. Once you’re happy with the returned result of the bridge now we can start working with Flash.

In this example the bridge will return a image. Your use may be different so handling of the data may need to be done by loading a xml file or send and receive vars rather than the simple urlLoader we are using.

So we don’t get any errors we use a crossdomain.xml.
<?xml version="1.0"?>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="http://your-domain" />

<?xml version="1.0"?>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="https://your-domain" secure="true" />

Upload crossdomain.xml to your web server. Cross domain files tell flash player what flash can access on your server. Check Adobe’s documentation for more info on security policies and cross domain files.

Now we are ready to write some action script. Create both the .FLA and .AS file. On the FLA file it just point to our class “api_bridge.as” in the document properties tab. We only create the FLA for publishing the SWF file. Now you only need to edit 2 lines in this class to see everything working. Find the two lines that say your-domain and place your domain name in there. Use http or https for your specific requirements.
package {
import flash.display.*;
import flash.events.*;
import flash.net.*;
import flash.system.*;

public class api_bridge extends MovieClip {
private var imageLoader:Loader;
private var imageRequest:URLRequest;
private var bitmapData:BitmapData;
private var bm:Bitmap;

public function api_bridge() {
imageLoader = new Loader();
theURL = "your-domain/bridge.php?external_url="test";
var loaderContext:LoaderContext = new LoaderContext();
loaderContext.checkPolicyFile = true;
imageRequest = new URLRequest(theURL);
imageLoader.contentLoaderInfo.addEventListener(Event.COMPLETE, onComplete);

private function onComplete(evt:Event):void {
bitmapData = new BitmapData(460, 460, true, 0x00000000);
bm = new Bitmap(bitmapData);
imageLoader.contentLoaderInfo.removeEventListener(Event.COMPLETE, onComplete);

This will return a image and add it to the stage. It’s that simple.

Hope you enjoy the tutorial.

Peak Studios at Google+