Facebook, Flash and the Permission denied – Location.toString Error

So I started work on my first two Facebook applications this week. They are both Flash Christmas games I’m making for Creative Lynx Ltd. They designed and planned them and I’m putting the mechanics into place. When we started testing both the apps certain people where getting an error message popping up in their virus scanners:

Error: Permission denied for <[Server Path Edited Out]> (document.domain has not been set) to call method Location.toString on <[Server Path Edited Out]> (document.domain=<[Server Path Edited Out]>).

Took a while of searching before I got to the solution. It seems to be down to the crossdomain.xml file we’re using on the server. The whole thing including the solution is written about here on Perone’s Programming Pad. In case the page ever goes down I’m making a copy of the before and after XML files that are used to sort this out.

Here’s the XML file as it stood when we were having the problem:

    <site-control permitted-cross-domain-policies="all" />
    <allow-access-from domain="*" />

Here’s the XML file that fixes the problem:

    <site-control permitted-cross-domain-policies="all" />
    <allow-access-from domain="*" />
    <allow-http-request-headers-from domain="*" headers="*" />

He talks about it showing up in Firefox’s error console. I’m guessing that Trend Antivirus is keeping an eye on the error console and flagging it up due to that. All the people that reported the problem work in the same office and have a network install of Trend i.e. they are all using the same version.

Share Article

Comments: 2

Leave a reply

Please fill in the form fields and improve Skynet by completing the captcha!

Thank you! All comments are moderated so yours will appear shortly.
  • gilloub

    Hi, nice catch
    I’m also working in some facebook project and have the same issue, I can’t integrate a google street view map to the app because of that. where exactly I have to drop the crossdomain.xml file and what i have to do to make this working ?


  • Anonymous

    The cross domain XML file goes in the site root of the domain that you are trying to remotely access, not the one with your HTML/swf files. You only need to use it if you are trying to access data on a different domain than your swf content. Better with an example I guess.

    Facebook App Page
    Used an iframe to show a HTML page I hosted at Domain A.
    The HTML page had my Flash games swfobject code inside it along with the required FB app javascript code.

    Domain A
    Has your facebook apps HTML and CSS files.
    Calls web services hosted at Domain B so it can pull certain database records.

    Domain B
    This is where the database and SOAP classes are stored and run from.
    This is where you put the crossdomain XML file, in the domain root directory.

    This was only an issue for me as this particular project required development on a remote server (Domain A). When the project went into production status the files were moved locally to the same server as the database and web service calls (Domain B). At that point we didn’t need the cross domain policy file but left it for future use.

May your knife chip and shatter.

— Paul Atreides