Security Error

• Overview
• SWF on Local Machine
• SWF on Server

Overview

Security Error happens when Flash Player tries to load data (SWF file(s), XML File(s) or Image(s)) that are not in Flash Player security sandbox. You can read more about sandbox on Adobe web site: Adobe Flash Player 9 Security White Paper.

With AnyChart Stock Flash Chart Component, there are two cases: AnyChart Stock SWF on local machine and AnyChart Stock on Web Server, please choose which case is yours and read below how to fix the issue.

SWF on Local Machine

If you are trying to launch AnyChart Stock or AnyChart Stock Samples on you local machine you should register folder with swf file in local trusted folders of Flash Player, you can read how to do that in: Installation Tutorial.

SWF on Server

If you are getting this error when launching AnyChart Stock on web server - you are, probably, trying to connect charts to data or image files that reside on another domain. To solve this issue you should either move data files to the same domain or use crossdomain.xml to allow AnyChart Stock SWF to load files from another domain.

Note: learn more about crossdomain.xml on Adobe web site: Cross-domain policy file specification

And here is a quick explanation how to make data on server accessible by SWF files from another server:

Cross-domain policy files

To make data from a web server available to SWF files from other domains, you can create a cross-domain policy file on your server. A cross-domain policy file is an XML file that provides a way for the server to indicate that its data and documents are available to SWF files served from certain domains or from all domains. Any SWF file that is served from a domain specified by the server's policy file is permitted to access data or assets from that server.

Cross-domain policy files affect access to a number of assets, including the following:

Policy file syntax

The following example shows a policy file that permits access to SWF files that originate from *.example.com, www.friendOfExample.com and 192.0.34.166:

<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <site-control permitted-cross-domain-policies="master-only"/> <allow-access-from domain="*.example.com"/> <allow-access-from domain="www.friendOfExample.com"/> <allow-access-from domain="192.0.34.166"/> </cross-domain-policy>

When a SWF file attempts to access data from another domain, Flash Player automatically attempts to load a policy file from that domain. If the domain of the SWF file that is attempting to access the data is included in the policy file, the data is automatically accessible.

By default, policy files must be named crossdomain.xml and must reside in the root directory of the server.

A policy file affects access only to the particular server on which it resides. For example, a policy file located at https://www.adobe.com:8080/crossdomain.xml will apply only to data- loading calls made to www.adobe.com over HTTPS at port 8080.

A cross-domain policy file contains a single <cross-domain-policy> tag, which in its turn contains zero or more <allow-access-from> tags. Each <allow-access-from> tag contains an attribute, domain, which specifies either an exact IP address, an exact domain, or a wildcard domain (any domain). Wildcard domains are indicated by either a single asterisk (*), which matches all domains and all IP addresses, or an asterisk followed by a suffix, which matches only those domains that end with the specified suffix. Suffixes must begin with a dot. However, wildcard domains with suffixes can match domains that consist of only the suffix without the leading dot. For example, foo.com is considered to be part of *.foo.com. Wildcards are not allowed in IP domain specifications.

If you specify an IP address, access is granted only to SWF files loaded from that IP address using IP syntax (for example, http://65.57.83.12/flashmovie.swf), not those loaded using domain-name syntax. Flash Player does not perform DNS resolution.

You can permit access to documents originating from any domain, as shown in the following example:

<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <allow-access-from domain="*" /> </cross-domain-policy>

Each <allow-access-from> tag also has the optional secure attribute, which defaults to true. You can set the attribute to false if your policy file is on an HTTPS server, and you want to allow SWF files on a non-HTTPS server to load data from the HTTPS server.

Setting the secure attribute to false could compromise the security offered by HTTPS. In particular, setting this attribute to false opens secure content to snooping and spoofing attacks. Adobe strongly recommends that you not set the secure attribute to false.

If data to be loaded is on a HTTPS server, but the SWF file loading it is on an HTTP server, Adobe recommends that you move the loading SWF file to an HTTPS server so that you can keep all copies of your secure data under the protection of HTTPS. However, if you decide that you must keep the loading SWF file on an HTTP server, add the secure="false" attribute to the <allow-access-from> tag, as shown in the following code:

<site-control permitted-cross-domain-policies="all"/> <allow-access-from domain="*" secure="false"/>

A policy file that contains no <allow-access-from> tags has the same effect as not having a policy on a server.