function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

Security Sandbox Error with Flex/Air 1.0 toolkit

I have been connecting to to read data for more than a year from my app and suddenly tonight it has stopped working.

I have the following exception (I have deliberately removed the username and password, but I have checked that they are correct and refer to the latest security token. 

This was working fine erlier today and I have changed no code...

Method name is: login
'A997F86A-36E9-DDDC-EC6B-BBEE23101466' producer connected.
'A997F86A-36E9-DDDC-EC6B-BBEE23101466' producer sending message 'B89E5879-D7F7-E91E-2082-BBEE231054DD'
'direct_http_channel' channel sending message:
  body = "<se:Envelope xmlns:se=""><se:Header xmlns:sfns=""/><se:Body><login xmlns="" xmlns:ns1=""><username>simon.palmer@*****.com</username><password>*****</password></login></se:Body></se:Envelope>"
  clientId = (null)
  contentType = "text/xml; charset=UTF-8"
  destination = "DefaultHTTPS"
  headers = (Object)#1
  httpHeaders = (Object)#2
    Accept = "text/xml"
    SOAPAction = """"
    X-Salesforce-No-500-SC = "true"
  messageId = "B89E5879-D7F7-E91E-2082-BBEE231054DD"
  method = "POST"
  recordHeaders = false
  timestamp = 0
  timeToLive = 0
  url = ""
Method name is: login
*** Security Sandbox Violation ***
Connection to halted - not permitted from https://localhost/pm_server/pm/pm-debug.swf
'A997F86A-36E9-DDDC-EC6B-BBEE23101466' producer acknowledge of 'B89E5879-D7F7-E91E-2082-BBEE231054DD'.
'A997F86A-36E9-DDDC-EC6B-BBEE23101466' producer fault for 'B89E5879-D7F7-E91E-2082-BBEE231054DD'.
Comunication Error : Channel.Security.Error : Security error accessing url : Destination: DefaultHTTPS
Error: Request for resource at by requestor from https://localhost/pm_server/pm/pm-debug.swf is denied due to lack of policy file permissions.

What has changed?
I was seeing the same thing this morning. I thought I had checked out the crossdomain.xml not a week ago and it was was wildcarded to open, but now it seems limited to handful of domains.
Unfortunately this is a known bug that Salesforce is working on. It only affects users of the Flash 10 player. I spoke with the Flex product manager as Dreamforce and alerted him of the problem. They applied a patch last Friday that fixes the problem but only if you are running the SWF from a Salesforce server. If you run the SWF from a non-Salesforce server you still receive the error.

I spoke with the product manager again yesterday and he has reopened the case. Hopefully it will be fixed soon.

Jeff Douglas
Informa Plc

Thanks for the information.  Do you have a ticket number so I can contact them myself?
The case is: 02236361
Jeff Douglas
Informa Plc
I thought this was the problem but I am using 9.0 r124 so either it is not limited to 10 or there's something else at play. 

I immediately blamed my own code and account credentials, but having re-checked that nothing changed I am now sure that it is not them.  I have reverted back to production code which has been working since February 2007 and that throws the same exception, so there must be something else.
So, there are lots of possible combinations of security settings, endpoint settings and so on that affect the communication between a Flex app (SOAP API) and the platform. 

First, there is a missing x-domain file at  This file is required to allow your flex application to set the appropriate required html headers for the SOAP messages.  We have a fix in progress and expect resolution by early next week.

Still, even with that in place, there are other considerations that you have control over that affect accessibility to the platform. Specifically, if you are hosting your swf on a non-ssl enabled server (http), you must do two things to enable the toolkit.  First, you need to set the "protocol" attribute of the connection object to "http" and set the server url to "".  If you don't make this setting the toolkit will default back to ssl (https).  Second, you will need to check to make sure that your instance is configured to allow non ssl connections.  You can do this by going into Setup and under Administration Setup/SessionSettings verify that the check box next to "Require secure connections" is unchecked.  When that box is checked, no matter what method you use to access the platform (web or api) you must us https.

The reason that you need to allow http connections if you are hosting from a non ssl site is because the flashplayer security will not allow mixed security (AFAIK).

Hope this helps.

Thanks for the helping me out with this issue Dave! Outstanding customer support from Salesforce as usual. How often would you get someone from SAP to give you a ring concerning a problem? [No reply needed..... everyone knows the answer.]

Jeff Douglas
Informa Plc
Thanks Dave.  Is there still a Flash 10 versus Flash 9 player issue as well?
Thanks for the response.  I am aware of the HTTPS problem and have matched the protocols (if you look at the exception trace I posted you'll see that I am using an HTTPS server at my end). 

It sounds to me more like the problem with the crossdomain security policy.

I'm intrigued to know why this has suddenly happened.  Was there a change at the end?  If yes, how do I keep abreast of such changes so I can avoid this in the future.

I now have no production environments working, a lot of upset customers and no firm date to tell them that it will be fixed.  How do I escalate issues like this?
I have our production instance working with both Flash 9 & 10 with a workaround that Dave and I tested. See the code snippet below and notice that you can reference your actual server (not recommended but a workaround) instead of "www" using a non-SSL protocol.
[Bindable] public var sfdc:Connection = new Connection();

sfdc.protocol = "http";
sfdc.serverUrl = "";

Hope this helps.
Jeff Douglas
Informa Plc
I was experiencing this security issue as recently as yesterday, but today I'm getting no response from login attempts.  Is it just me?  I have spoken to Adobe about the FP10 issue, and they communicated a fix was underway with