Flex socket communication sandbox and security policy problems

I. sandbox and Security Policy Issues
1. When this problem occurs during connection, It is accurate to the two conditions before connection:
1. local playback
by default, flash player does not allow SWF to access any network.
access Logging.
2. Web Publishing
SWF published on the Web may face cross-origin problems.

2. There are two communication methods in Flash:
1. http: for example, urlloader is used to load remote SWF, files, images, and audio/video streams.
2. socket is mainly used to establish long-term connections with remote servers, such as xmlsocket.
flash player6 and later versions introduce security policy files. before formal communication, the system checks whether the target location has a valid security policy, to prevent unlimited access to applications in different domains.
in http mode, Flash Player checks whether crossdomain exists in the root directory of the target domain. XML. If yes, obtain and analyze the content (described later) to determine whether access is allowed.
in Socket mode, it is a little complicated for Flash Player to obtain security policies. The standard steps from 9.0.115.0 are as follows (ie is used as the standard in the following description, and exceptions are described later ):
1) first initiate a connection to port 843 of the target host and send a string with the content " ", and wait for the security policy file to be returned and analyzed.
2) If 1) fails, check whether security is used in the as Code . loadpolicyfile ("xmlsocket: // host: Port") method to load the security policy file. If yes, obtain and analyze the file.
3) If 2) fails, the request is sent to the target host: port in the as code. The process is the same as 1 ).
4) if the security policy file is successfully obtained and the analysis determines that the connection can be established, the connect () method is executed. In this case, the connection to the target host is created.

3. Solutions
Let's just talk about the socket method.
1) WriteProgramListen to port 843. When you receive "<policy-file-Request/>", send the appropriate policy content (crossdomain. XML) back to the client.
2) load the policy file through loadpolicyfile () in as. Use xmlsocket: // instead of http ://.
3) When "<policy-file-Request/>" is detected on the standard server, the policy content is returned.

4. Exceptions and test results
Tests show that in IE and opera, Flash Player checks the security policy strictly according to the preceding steps.
When a connection is established in Firefox and chrome, flash player does not send "<policy-file-Request/>" to the server, but directly connects to the server. This should be the reason for different implementation versions of Flash Player.

5. Problems in Data Transmission
In xmlsocket data transmission, pay attention to the following details. Otherwise, some inexplicable problems may occur.
1. End symbol
When xmlsocket receives data from the server, it will be placed in the receiving buffer continuously until it receives "\ 0" bytes (the byte content is ASCII value 0, and call the corresponding ondata or onxml event.
If the server is written in Java and the standard string class family is used, manually add "\ 0" to the end of the sent data ".
If it is written in C ++, because the standard string type in C ++ ends with byte 0, you do not need to add "\ 0 ".
* In C ++, you need to pay attention to another problem. If you perform string processing on your own, the standard strlen and string are used to determine the string length. length () and so on are the actual number of valid characters returned. When the final message is sent to the network, the total length should be 1 byte to accommodate the ending byte 0.
* This issue also exists when sending security policy content, so you must pay attention to it.

2. Chinese problems
By default, no matter from which end the data is sent to the other end, if the data contains Chinese characters, garbled characters are generated. The solution is as follows:
1) Add "system. usecodepage = true;" to the as to force the use of the local code set. This method is the most convenient, but garbled code will still appear on the Cross-language platform.
2). You can write transcoding functions in your code. This method is more complex but versatile. Specific TranscodingAlgorithmThere are a lot of online, mainly C ++ server needs, Java in the use of JDK class conversion to UTF-8.

Detailed reference: http://www.flash-home.com/article/818.html