Uploaded image for project: 'Apache Flex'
  1. Apache Flex
  2. FLEX-26675

allowDomain() and allowInsecureDomain() do not allow domain on RSLs loaded by modules or sub-applications

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • Adobe Flex SDK Previous
    • None
    • Runtime Shared Libraries
    • None
    • Affected OS(s): Windows
      Affected OS(s): Windows XP
      Language Found: English

    Description

      Steps to reproduce:
      1. Import the attached Flash Builder projects.
      2. Change output folder to point to a local webserver. (May have to update the port in the attached testcase)
      3. Map localhost1 to 127.0.0.1 or update test files to use 127.0.0.1 instead of localhost1
      4. Run the AllowDomainBug.
      5. Click the "Load App1" Button to load a trusted sub-application. The sub-application loads an RSL, MyUtils.swf, into the main application's application domain.
      6. Click the "Load UntrustedApp" Button. This loads an untrusted application. The main application has called systemManger.allowDomain("localhost1"), to trust the domain of the untrusted application. The allowDomain() is a function on IFlexModuleFactory that impacts the systemManager's swf and all the loaded RSLs. This is done before MyUtils.swf is loaded so MyUtils.swf is does not allow "localhost1".
      7. Click the "run test" button in the untrusted app.

      Actual Results:

      SecurityError: Error #2047: Security sandbox violation: parent: http://localhost1:8700/flex/AllowDomainBug/UntrustedApp.swf cannot access http://localhost:8700/flex/AllowDomainBug/AllowDomainBug.swf/[[DYNAMIC]]/4.
      atflash.display::DisplayObject/get parent()
      atUntrustedApp/getParents1()[C:\ws\wshero2\AllowDomainBug\src\UntrustedApp.mxml:33]
      atUntrustedApp/___UntrustedApp_Button1_click()[C:\ws\wshero2\AllowDomainBug\src\UntrustedApp.mxml:46]

      Expected Results:

      When MyUtils.swf is loaded into the main application, it will allow the same domains as have been allowed by previous calls to IFlexModuleFactory.allowDomain(). The RSL will allow the "localhost1" domain, the same as all the other RSLs loaded by the main application. Untrusted application will be able to access MyUtils.swf and there will be no exception.

      Workaround (if any):

      Listen for the RSLEvent.RSL_ADD_PRELOADED event and call Security.allowDomain() on the newly loaded RSL. Press the "trust new RSLs" button in the main application before loading "App1" and there will be no security violation when clicking the "run test" button in step #5.

      Attachments

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            adobejira Adobe JIRA
            adobejira Adobe JIRA
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment