Search code examples
flashsecurityhttphaxeflambe

Security Sandbox violation on Haxe http request

I'm making a game using Haxe and Flambe library targeting to flash&html5. I need to access REST-api with http-requests. For that purpose I use Haxe's Http-class. This here is my test code at the moment:

public function getRocketStatus():Void
{
    var urlLoader:Http = new Http("https://seginus-scores.herokuapp.com/api/MailboxMayhem/Highscores/");//"localhost:8000/api/rocket");

    // add parameters
    //urlLoader.addParameter("myVar", "myValue");
    //urlLoader.addParameter("userName", "Mark");

    // callbacks
    urlLoader.onError = function (msg) {requestCompleteSignal.emit(msg);};
    //urlLoader.onStatus = function(status) {requestCompleteSignal.emit(Std.string(status));};
    urlLoader.onData = function(data)
    {
       trace('Sending data completed! data=$data');
       requestCompleteSignal.emit(data);

    }

    // sends to data using GET
    urlLoader.request();

    // sends to data using POST
    urlLoader.request(true);
}

Every time I try to use that, I get error:

*** Security Sandbox Violation *** Connection to https://seginus-scores.herokuapp.com/api/MailboxMayhem/Highscores/ halted - not permitted from http://localhost:7000/targets/main-flash.swf

It doesn't work if I use it from Flambe test-server, my local apache server etc. There seems to be no difference between Flash or html5 targets. I also know that the cross-domain policy should be correct on my API, since I can connect it fine with Unity, regular Flash and Java games I made earlier. I get the following error to my js-console from html5-target though:

 No 'Access-Control-Allow-Origin' header is present on the requested resource.

I already checked this Haxe page which is a bit ambiguous regarding the subject: http://old.haxe.org/doc/flash/security

I have done url-requests in AS3 back in the day and had to deal with security sandbox issues. However, with those cases, adding the cross-domain to the other end seemed to solve the problem always unlike here.

Solution

  • Alright, I found the issue. I feel stupid now. I had forgotten to add "http://" to the url when I was using localhost (eg. http://localhost:8000/api) And forgot to remove the https from call above while I had only http available.