What to do about network failures when loading crossdomain.xml policy file?

8
votes

I monitor (and log to server) most user errors in our flash game. Quite frequently I see security errors related to trying to make requests to a cross-domain URL (usually the Facebook Graph API). 99% of our players can make these graph API calls with no issues.

What I think is going on is that the client makes a request, but fails to load the crossdomain.xml file. I don't quite know how AS3 handles this in the case of a failure to load the crossdomain policy file...will it retry for every URLRequest made until it succeeds in loading it, or does it just give up forever? What's the "best practice" in response to a security error like this?

I am pre-loading the Facebook policy files once, ahead of time, like this:

// allow images to be loaded from facebook and facebook's cdn's.
Security.loadPolicyFile( "http://www.facebook.com/crossdomain.xml" );
Security.loadPolicyFile( "https://api.facebook.com/crossdomain.xml" );
Security.loadPolicyFile( "https://graph.facebook.com/crossdomain.xml" );
Security.loadPolicyFile( "http://profile.ak.fbcdn.net/crossdomain.xml" );

then I also have flash check the policy file again when making the URLRequest.

2
flashactionscript-3facebooksecurityfacebook-graph-api

2 Answers

2
votes

Here is a solution that appears to work.

Assuming you are using a URLLoader to read data from one of the domains that has a crossdomain.xml file and you are calling loadPolicyFile to preload crossdomain.xml, there is a chance that the load will fail, either from network connectivity issues or from a server being down, or from solar flares. When you set up your URLLoader, you can add an event listener for SecurityErrorEvent.SECURITY_ERROR. In the even listener, you can try loading the policy file again. The policy files get cached though, even when they fail to load (thanks adobe), so you'll have to add a cache busting query parameter.

Here is a simple example of how this would work:

public function loadMyFriends():void {
  var urlLoader:URLLoader = new URLLoader();
  urlLoader.addEventListener(
    SecurityErrorEvent.SECURITY_ERROR, handleSecurityError);
  urlLoader.load(new URLRequest('https://graph.facebook.com/me/friends'));
}

private function handleSecurityError(event:Event):void {
  Security.loadPolicyFile(
    "https://graph.facebook.com/crossdomain.xml?__cb"=Math.random());
  loadMyFriends();
}

In practice, you would probably want to limit the number of retries and maybe do an exponential back-off if it really is a network connectivity issue and not just a dead server that isn't being properly handled by a load balancer.

0
votes

My tests have shown that it retries up to every 10 seconds or so, so I guess it should be possible to show an error message and try again after a few seconds.