Blog

Cross Domain Policy Issues with Flash loading remote data from Amazon s3 cloud storage

Tuesday, May 01, 2012 by Sean P

Status: Solved.

Bug / Issue:

When Flash is loading images or other certain data from Amazon S3 (Cloud Storage), cross domain policy errors prevent the images from loading.

Even when force-loading an open policy file in your Amazon bucket that you are loading from, you may get an error like this, where Amazon's cross domain policy will override your own:

"Warning: Domain s3.amazonaws.com does not specify a meta-policy. Applying default meta-policy 'master-only'. This configuration is deprecated. Seehttp://www.adobe.com/go/strict_policy_files to fix this problem.
Error: Ignoring policy file at http://s3.amazonaws.com/{my_bucket}/crossdomain.xml due to meta-policy 'master-only'."

In the end, no images or other similar data will load remotely cross domain with Amazon s3 Cloud Storage because of these policy issues.

Fix / Workaround:

1) First, just to get things working, ensure you have a public, wide open crossdomain.xml policy file in your s3 bucket root.  Be sure the file is marked as Public in the AWS console's properties window.  An open XML policy file (allows any requests from anywhere) looks like this:

<!--?xml version="1.0"?-->
<cross-domain-policy>
  <site-control permitted-cross-domain-policies="master-only">
    <allow-access-from domain="*">
      <allow-http-request-headers-from domain="*" headers="*">
      </allow-http-request-headers-from>
    </allow-access-from>
  </site-control>
</cross-domain-policy>
 

2) Force-load this policy file right away when your app initializes (before attempting to load any files from s3)

use:  Security.loadPolicyFile("url to your policy file")

Important!: Use your bucket name in the subdomain- "http://your_bucket.s3.amazonaws.com/crossdomain.xml"

NOT: "http://s3.amazonaws.com/your_bucket/crossdomain.xml"

3) Always ensure URLs to S3 files use your bucket as the subdomain, not as a directory in the URL

ex:  

- Modify any URL such as:  "http://s3.amazonaws.com/your_bucket/someImage.jpg"

to this instead:"http://your_bucket.s3.amazonaws.com/someImage.jpg"

That should do it.

4) Tighten up security.

Once your app is working, go back to your open policy file and lock it down a bit more by specifying the domains to allow file requests from, instead of "*"

 

Allison

Thanks for the post

Post Comment

Name:*
Email Address:
Website:
Comment: *