Facebook API: Why can I load a user's image off one domain but not another?

Image 1 is at fbcdn-photos-a.akamaihd.net

Image 2 is at fbcdn-sphotos-a.akamaihd.net

The crossdomain files are identical:

https://fbcdn-sphotos-a.akamaihd.net/crossdomain.xml

https://fbcdn-photos-a.akamaihd.net/crossdomain.xml

I can load image thumbs (which are on server 1), but I cannot load the full images (which are on server 2). I get SecurityError: Error #2123: Security sandbox violation.

For 2 hours I've be开发者_运维问答en playing with LoaderContext settings, Security.allowDomain, and Security.loadPolicyFile. Nothing gives.

I too was struggling whith this a few days ago... But the all of sudden, it worked by

adding this somewhere when my app inits:

        Security.loadPolicyFile("http://graph.facebook.com/crossdomain.xml");
        Security.loadPolicyFile("http://profile.ak.fbcdn.net/crossdomain.xml");
        Security.allowDomain("*");
        Security.allowInsecureDomain("*");

And then i used this to get the picture:

public function getProfilePicture():void {
            var myLoader:Loader = new Loader();
            myLoader.contentLoaderInfo.addEventListener(Event.COMPLETE, function(e:Event):void {
                pic.bitmapData = Bitmap(myLoader.content).bitmapData;
            });
            var fileRequest:URLRequest = new URLRequest("http://graph.facebook.com/" + this.uid + "/picture");
            var lc:LoaderContext = new LoaderContext();
            lc.checkPolicyFile = true;
            myLoader.load(fileRequest, lc);
}

If you are attempting only to get the user's profile image, you can access it unsecured from http:/graph.facebook.com/USERID/picture/ . But if you are talking about any other image (photos, etc.), you can do it only from the domain declared in the facebook app page, "Facebook integration" tab. That prevents any malicious intent of accessing your user's data in the event that somebody obtains your APP_ID and APP_SECRET.

The problem described here is that Graph API redirects you to one of the Facebook CDN domains. You have to load crossdomain policies from these domains into your Flash client in order to be able to call them using Security.loadPolicyFile("<protocol>://<domain>/crossdomain.xml");. Protocol is also important. List of these CDN domains is not available, so you can't bake it into the app. I described similar problem with profile pictures in this bug: http://developers.facebook.com/bugs/470699803010338 It'd be ideal if Facebook provided a list of CDN domains for it's developers via API so we could load appropriate crossdomain policies without having to allow everything or compromise security in other ways.

This worked for me:

loader.load(new URLRequest("https://graph.facebook.com/" + user.uid + "/picture?type=normal"), new LoaderContext(true, null, SecurityDomain.currentDomain));

As the error message states you are attempting to load something from a different server which is a security violation. It might not appear to make sense as you know they are identical but only you know that. This same security principal is what prevents js in a browser from one site stealing a cookie that belongs to another. If this security principal did not exist then the web would be a much worser place, with identity theft a much bigger problem.