M Studio Labs

This is an error just about everyone runs into when loading data across a domain or testing locally. There are a couple of workarounds, which I’ll describe in detail in this post…

If you come across this error while testing on a web server:

This means you’re trying to access content from another domain without having the correct policies on that domain. Keep in mind that Flash also sees subdomains as separate domains, so trying to load an image from “images.mstudio.com” into a Flash application on “www.mstudio.com” will not work without the correct policies.

What’s the reason for this? Well, it means that developers can’t just dynamically load a SWF, image, video, sound or data from just anyone’s server — they need permission from that server. Without this “security sandbox” there would be no way to prevent not-so-nice Flash developers from swiping other people’s content. Of course, there are always ways around this, but the point is that Flash doesn’t get a bad rap for being a malicious tool.

Setting up a policy file is really easy — you can drop an xml file named “crossdomain.xml” on the root of the server you are trying to load data/media from, in this case “images.mstudio.com” – be sure it is in the httpdocs/ or similar directory, the same place you store all of your web files.

The xml should look something like this (replace “mstudio.com” with the name of the domain you are loading from):

You can also use wildcards. If you wanted to allow loading from all subdomains on mstudio.com, you could use this:

And if you wanted to allow loading from any domain, you could use this:

If you want to put the policy file in another directory, you just need to let Flash know where to find it. In your Actionscript, you can do so by calling:

Here is a sample crossdomain policy file.

If you come across this error while testing locally:
It probably means that you are loading data/media from a source on your local machine. Flash security allows you to either load locally or load over a network. This way, you’d never have a malicious application that could grab data from a hard-drive and upload it to a remote server. You can change this setting by setting “use-network=false” in your compiler arguments if using Flex, FDT or the command line to compile. If you’re using Flash, you can change this in your publish settings: File > Publish Settings: click the “Flash” tab and towards the bottom you will see “Local playback security”. Here you can set it to use either local or network files only.

If you’re testing locally and eventually deploying to a web server, I suggest not using the method above and instead using the Flash Global Security Settings. You can access it here.

This is a nice little tool in that you can specify either a specific SWF or an entire directory to have access to load local files. If you store all of your work files in one directory, I suggest adding this directory as a trusted location to the settings manager. You can see I’ve done this above with my “Eclipse” directory (we use FDT here). If you do this once, you’ll never have to worry about error 2148 when testing again… Just don’t add your entire hard-drive as a trusted location, as this will defeat the purpose of the security and leave you open to malware.

Leave a Reply