How to fix this (probably) cross domain policy error using Flash, Socket.IO and NodeJS


Error #2044: Unhandled SecurityErrorEvent:. text=Error #2048: Security sandbox violation: cannot load data from
    at io::Socket/doHandshake()[/Users/airrider3/github/AS3-Socket.IO-XHR-Polling/xhr-polling/src/io/]
    at io::Socket/connect()[/Users/airrider3/github/AS3-Socket.IO-XHR-Polling/xhr-polling/src/io/]
    at io::Socket()[/Users/airrider3/github/AS3-Socket.IO-XHR-Polling/xhr-polling/src/io/]
    at io::IO$/connect()[/Users/airrider3/github/AS3-Socket.IO-XHR-Polling/xhr-polling/src/io/]
    at MainController/endOfbluecodeSplash()[/Users/airrider3/Dropbox/Projects/Kipos/Minigames/HoldTheBombWeb/src/]
    at bluecodeSplash/endOfSplash()[/Users/airrider3/Dropbox/Projects/Kipos/Minigames/HoldTheBombWeb/src/]
    at Function/
    at com.greensock.core::TweenCore/complete()[D:\_Flash\_AS3\src\com\greensock\core\]
    at com.greensock::TweenLite/renderTime()[D:\_Flash\_AS3\src\com\greensock\]
    at com.greensock.core::SimpleTimeline/renderTime()[D:\_Flash\_AS3\src\com\greensock\core\]
    at com.greensock::TweenLite$/updateAll()[D:\_Flash\_AS3\src\com\greensock\]

I'm using Flash Builder, an ActionScript project, which connects to a server running NodeJS using the Socket.IO module.

To connect Socket.IO with AS3 I'm using the following library which works perfectly while testing in local, from Flash Builder.

However, if hosted on my domain [], I suppose it raises this SecurityErrorEvent because I am not using any crossdomain.xml files correctly? I've never gotten along with this topic, to be honest, so I'm not sure if this is the error.

In any case, I have the following crossdomain.xml file:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "/xml/dtds/cross-domain-policy.dtd">
   <site-control permitted-cross-domain-policies="master-only"/>
   <allow-access-from domain="*" to-ports="*"/>

I have it in different places on my server. (Should it be on the hosting client?). Yes, the game is hosted on, while the game's server is on the IP, running on the port 8000.

If it's the case of the crossdomain policy error, is anyone kind to explain what should be done to fix the problem?

Thanks for your attention.

Update 1:

I set up a server listening on port 843 giving the crossdomain file, but I can see how Flash doesn't try to load it. (I tested the command python -c 'print "<policy-file-request/>%c" % 0' | nc 843 and checked how the policy server indeed works.

How come the SWF doesn't try to load a crossdomain policy file?

12/30/2012 8:43:44 PM

Accepted Answer

Whoa. I just read this on the Socket.IO documentation: "flash policy port defaults to 10843

By default the Socket.IO client will check port 10843 on your server to see if flashsocket connections are allowed. The Adobe Flash Player normally uses 843 as default port, but we decided to default to a non root port."

So that's why it didn't try to load the file from port 843...


2/8/2013 6:38:48 PM

Crossdomain policy file should be hosted on machine where the server is running i.e. on the For socket connection flash players automatically try to load master crossdomain policy file from the port 843 (You can get simple policy server script from

UPD: Use Security.loadPolicyFile("xmlsocket://"); to load policy file directly, but as I wrote flash player already do the same automatically (for port 843), it sends the string request "<policy-file-request/>\0".

debugging policy

To debug the policy server do the following:

  1. Be sure you have the debug flash player.

  2. Check that server installing is correct by the command (linux, mac or cygwin on Windows): echo -ne '<policy-file-request/>\0' | nc -v host port. This command should print out your crossdomain.xml file

  3. Turn on the flash player policy log by setting the flag PolicyFileLog=1 in mm.cfg file (be sure you have the debug version of flash player), run swf file and read the policy log, it has user friendly format, you will be able to figure out the problem in most cases by this log.

Licensed under: CC-BY-SA with attribution
Not affiliated with: Stack Overflow