Matt Stein

Matt Stein

I'm working with some (well-written) AS3 that isn't my own, and recently two Flash sites that use the Moogaloop player started throwing security sandbox errors after working normally for at least a few weeks. It's Flash's error #2044, and the request URLs all begin with "bitcast.vimeo.com/vimeo/swf/moogaloop.swf";.

Did anything change recently that would result in throwing these errors? Both instances are running from web servers, and at two different domains. I'm not sure if there's information I've left out -- so please let me know if that's the case.

Matt Stein

Matt Stein

I've tried using "bitcast.vimeo.com", "vimeo.com", "vimeo.com";, and "*" -- all result in the same error (obviously with changing root domains):

Error #2044: Unhandled SecurityErrorEvent:. text=Error #2048: Security sandbox violation: example.com/main.swf cannot load data from vimeo.com/vimeo/swf/moogaloop.swf?clip_id=9143026&width=640&height=360&fullscreen=0.

I'm not sure what Vimeo's crossdomain.xml file looked like before, but it looks like it's currently restricting access to "*.vimeo.com". Has this changed, or is this related?

Sandro Padin

Sandro Padin

I had a different but related error to yours. I'm using the sample code here:
vimeo.com/api/docs/moogaloop

And the player wouldn't load. I'm assuming because the crossdomain.xml file on vimeo.com doesn't allow it. I changed it to the url you provided above and it works.

In your script, you might have to modify:
Security.allowDomain("vimeo.com";);
to
Security.allowDomain("bitcast.vimeo.com";);
or even
Security.allowDomain("*");

Hope that helps,
Sandro

Sandro Padin

Sandro Padin

Whoops. Looks like the url parser in the forums overwrote my code for Security.allowDomain("xxxx"). Your script might have http part of that url.

Matt Stein

Matt Stein

Thanks Sandro.

Unfortunately I have the same problem even if I set allowDomain to "*".

Sandro Padin

Sandro Padin

It seems that Security.allowDomain needs to be placed on the top-most parent in order for it to work. I'm actually loading a SWF that then loads the Vimeo player and I kept getting the security error until I placed allowDomain on the top-most file. (hope that makes sense :)

Sandro

Sandro Padin

Sandro Padin

Sorry Matt. I may have led you down the wrong path. I was getting a SecurityError, but it was SecurityError #2121. I can't be sure if your error and my error are exactly the same.

Sandro

Matt Stein

Matt Stein

I thought the same thing -- both sites use a preloader that loads a main SWF. It occurred to me that the parent SWF may need the allowDomain line, so I added it there. (Again trying "www", "bitcast.", etc.) Still no dice.

Dariusz Duśko

Dariusz Duśko

What's happening, suddenly all my flash players are not working. They're still working in Flash IDE but not on the web page.

Sandro Padin

Sandro Padin

Hi Brad,

As far as loading goes; it looks like the vimeo.com/moogaloop.swf is redirecting to assets.vimeo.com/rev/1/flash/moogaloop_np.swf but it is not loading the crossdomain.xml for assets.vimeo.com.

Whereas the moogaloop.swf on bitcast.vimeo.com isn't redirecting so it only has to load the crossdomain.xml from vimeo.com.

It also looks like the crossdomain.xml for assets.vimeo.com is including only assets.vimeo.com whereas the vimeo.com crossdomain.xml is allowing access from *.vimeo.com

I hope this helps.

Some more information here:
jessewarden.com/2009/03/handling-crossdomainxml-and-302-redirects-using-netstream.html

Sandro

gaelle berton

gaelle berton Plus

when exactelty are you using the base url? when building the player?

Max Folley

Max Folley

I've run into the same problem. The issue is the main crossdomain file on vimeo.com which is only allowing access from files hosed on vimeo.com. Matt's solution does work, since the cross domain file at t.vimeo.com/crossdomain.xml allows access from all domains.

I have a client who's website I completed 6 months ago, but due to these shenanigans I am still having to work on it. Also, my client is losing potential clients because his videos in his portfolio wont play. This is really frustrating for me because the embeddable Vimeo swf was supposed to be an easy solution. I would have been better off building my own video player. Please, fix this.

Ryan Hefner

Ryan Hefner Staff

Hey all,

We ended up rolling out the update to our crossdomain policy handling this morning and I wanted to check-in with you all to see if the issues that you were experiencing above are still causing problems. Let me know and I can try to work with you to make sure that these issues are resolved.

Thanks, Ryan

Peter Orr

Peter Orr

I'm getting this issue still in Firefox, but not in Safari. Are there any browser settings I need to pay special attention to?

Raymond

Raymond

It's still not working even with Matt's workaround. Please fix this.

Peter Nitsch

Peter Nitsch

Having the same issues. Will the changes be documented soon?

AQuest

AQuest Plus

I have same problems... same security problems... Vimeo change path of player....but anyone send me a message for this change.... incredible...

Ryan Hefner

Ryan Hefner Staff

Hey,

I just wanted to chime in on this thread. I know that a lot of you are frustrated due to some recent changes in the way that we serve up our player (Moogaloop) and the security policies surrounding it. We are aware that some functionality has been broken and the documentation has not been updated in order to reflect a proper implementation.

The reason for the delay is due to the fact that we are currently working on a solution that will provide better long-term support for embedding the player within Flash projects. We have drafted out the solution and are working on implementing it now.

In the meantime, the following requirements should work for your projects, unless you are attempting to do something above and beyond simply loading the player. The following two changes need to be made to our example script in order for this to work:

// TEMPORARY SOLUTION - Please use only if absolutely necessary as this will break once we roll-out the new, long-term solution.

// ADD Security.allowDomain("assets.vimeo.com";);

// UPDATE var request:URLRequest = new URLRequest("assets.vimeo.com/rev/2/flash/moogaloopnp.swf?clipid=" + clip_id + "&width=" + w + "&height=" + h + "&fullscreen=0");

PLEASE NOTE: This is a temporary solution and will not work once we roll out the new long-term solution. We will be posting updates to our Vimeo API blog (vimeoapi.tumblr.com) and the forums once the updates are implemented and will make sure to provide enough warning in advance so updates can be made to current applications before we turn-off the workarounds completely.

The updates will be rolling out shortly, so stay-tuned...

Thanks, Ryan

Christian Naths

Christian Naths

And you guys seriously couldn't have worked in some kind of legacy support? Production site == broken. Not cool man.

Film Space San Francisco

Film Space San Francisco

Hi Ryan,

I managed to get the VimeoPlayer up and running with the temporary solution you provided. However I'm faced with another problem. My program currently draws XML information from vimeo (from files like the following: "vimeo.com/api/v2/video/1234567.xml";). However, I'm getting a security sandbox error while trying to load these XML files into my program, something that started happening only recently.

Is this something that may be fixed along with the more permanent solution to the moogaloop issues that we're currently experiencing? Is there any sort of workaround (eg, another url with the same xml information that won't generate security sandbox errors)?

The idea is that my client will only have to maintain a very simple xml file with video ID's that will automatically pull required information from vimeo's online xml files and load their videos dynamically. I've fenagled a solution by simply copying vimeo's XML files onto my clients site and drawing from those instead, but this means that my client cannot easily update their content themselves.

Thanks for keeping us posted!

Ryan Hefner

Ryan Hefner Staff

Hey FSSF,

You could try adding the following line to your Flash application in order to open up access to the 'api' subdirectory.

Security.loadPolicyFile( 'vimeo.com/api/crossdomain.xml'; );

Due to the updates that we have recently rolled out due to cross domain policy file security, you will most likely need to load the policy file for each resource that you plan on interacting with on the site.

Let me know if that works or not. If not, there may be a few other options to try out.

Thanks, Ryan

thibaud

thibaud

Seriously, how do you expect this crossdomain.xml to fix any of the security error we are having while trying to access the api from AS3 ?
it's only allowing *.vimeo.com !
will the upcoming long-term solution fix this issue ?
if yes, when can we expect it ?

Ryan Hefner

Ryan Hefner Staff

Hey everyone,

We have rolled out the updates to the API that are meant to provide better long-term support for users of the API. You can review the updated documentation here:

vimeo.com/api/docs/moogaloop

I also want to point out one critical update that is going to need to be made to your applications in order to load Moogaloop into your Flash applications in the future. That update is the addition of requiring the Consumer Key, of an Application's OAuth code, passed as a variable in the Flash Vars when requesting Moogaloop. Currently, we are not requiring this key to be passed as we test the API and make sure that it is working for everyone, but in the future we will require the key and will return an error in the even the key is not passed or your application access to the API has been revoked.

In order to obtain the necessary keys for your application, you can register your application here:

vimeo.com/api/applications

Once registered, user the Consumer Key that you obtain to pass in the 'oauth_key' parameter in the Flash Vars.

As I have stated above, we are currently testing this update to make sure that it works for your applications, so please let me know if you run into issues with the new updates.

Thanks, Ryan

Raymond

Raymond

It's not working. Even use your latest example provided.

Pleeeeeeeeeeease fix !!!!!

Ryan Hefner

Ryan Hefner Staff

Hey Raymund,

Good catch. Appears the documentation is not the same as the download. If you change the following line:

Security.allowDomain("*.vimeo.com");

to

Security.allowDomain("*");

It should work fine after that change. Just copied and pasted the example and it worked just fine after that change. I will make sure to update the docs soon.

Thanks, Ryan

Raymond

Raymond

Hi, Ryan
Your example and my app are working in Flash player now. However, once they're running in web server (inclues localhost), they stop working.
Still Security Sandbox Violation.
Cheers
Raymond

Ryan Hefner

Ryan Hefner Staff

Hey Raymond,

You need to load the following cross domain file:

vimeo.com/moogaloop/crossdomain.xml

We have restricted access to only the directory that Moogaloop needs access to in order to prevent cross-site scripting attacks. I guessing that once you update the cross domain file that you are pointing at, it should fix the issue. Let me know if that's not the case.

Thanks, Ryan

Ryan Hefner

Ryan Hefner Staff

Hey Raymond,

Could you send me a URL that I can check, and maybe the source?

You can send them here if you want to keep it off the list:

ryan@vimeo.com

Thanks, Ryan

Raymond

Raymond

Hi, Ryan
Please check your email.
Thanks a lot.
Raymond

Raymond

Raymond

Hi, Ryan
Can't reach your email ryan@vimeo.com
delivery error.

???

Ryan Hefner

Ryan Hefner Staff

Hey Raymond,

Try:

ryan.hefner@vimeo.com

That should work. If not just let me know.

Thanks, Ryan

octav

octav

for anyone having that particular problem,
adding a Security.allowDomain("your swf or bitcast.vimeo.com"); solves the sandbox problem.

Ryan Hefner

Ryan Hefner Staff

Octav,

I just wanted to let you know that we have recently updated the API and suggest that you use our new API implementation in your project(s), as opposed to the older implementation (bitcast.vimeo.com). You can review the updated documentation here:

vimeo.com/api/docs/moogaloop

Please feel free to post any questions to this forum/thread if you run into issues using the new API.

Thanks, Ryan

7DPRO.COM

7DPRO.COM

so... forgive my ignorance, I'm kinda new with this whole crossdomain.xml and flash stuff.

From what I gather, RSS access via flash is not possible anymore due to the crossdomain.xml restrictions placed on the site.

If so - this is a shame, I was hoping to create a flash based VIMEO RSS reader.

Am I right that RSS data can no longer be accepted via flash? and is this a temporary problem or is this going to be a permanent thing?

Please help clarify these questions for this noob. I feel like I'm asking to clarify the obvious, but since I'm new to this whole thing. well I'm not 100% sure yet.

Lol - I was up all night trying to get it to work last night, and all along it was blocked. just my luck.

mauricio massaia

mauricio massaia

Ryan, i have a problem with the image that Vimeo Player load from assets.vimeo.com, at assets.vimeo.com/crossdomain.xml grant access just for assets.vimeo.com, how can i fix this?

look the error:

SecurityError: Error #2123: Security sandbox violation: Loader.content: api.vimeo.com/moogaloop_api.swf?oauth_key=91ebef0c14ae9871c71bf593b8da2424&clip_id=3845770&width=640&height=386&fullscreen=0 cannot access assets.vimeo.com/thumbnails/defaults/default.300x400.jpg. No policy files granted access.

Thx

massaia

dreamMonkey

dreamMonkey

Well this might be a bit off topic but since I ended up here looking for an answer to my question and it is definitely related to crossdomain policies I thought I'd just share it with you guys.

I started working on my mumeplayer again last weekend and it was performing very well locally, just now I put it online and everything worked except for loading thumbnails for vimeo movies !?

So when accessing the simple API from flash (as3)
For loading the xml (I guess using json and php would be the same thing) :
Security.loadPolicyFile("vimeo.com/api/crossdomain.xml";);

That will get you access to the xml alright, you'd think you could then just start loading the .jpg thumbnails, right? wrong !

var loaderContext:LoaderContext = new LoaderContext(true);
previewLoader = new Loader();
previewLoader.load(new URLRequest(imageURL), loaderContext);

That should do the trick, at least it did for me?

Just on a sidenote, YouTube's crossdomain Policy looks pretty much like this:

allow-access-from domain="*"

I definitely agree on keeping things secure, but then I ask myself, how does YouTube protect it's servers? I'm no IT expert, I just like messing around with code...

BTW @Vimeo, how about a chromeless Moogaloop?
You wouldn't believe the things I have to go through to strip down moogaloop, such a waste of bandwidth...

Kind Regards,
Dmonkey

Marc Garner

Marc Garner

I don't know if this is related but I'm using the AS3 class and if I try and call the class in a project that has anything in the library exported for action script I get this error:

*** Security Sandbox Violation ***
SecurityDomain 'api.vimeo.com/crossdomain.xml'; tried to access incompatible context ...

What do I have to do to get past this? If I delete the library items it works just fine.
WTF!

Ryan Hefner

Ryan Hefner Staff

Hey Marc,

I am not sure how your project is structured, but you may need to change the location of where the Cross Domain Policy File is being requested. That may solve your issue.

If you could provide a link and a basic overview of how your project is structured, we should be able to better troubleshoot/resolve your issue.

Thanks, Ryan

This conversation is missing your voice. Please join Vimeo or log in.