So at work we have hired a company to develop a flex application for us.  I was told about a week and a half ago that I would need to add a crossdomain.xml file to the root of our web site giving the app permission to access our services.  I created one that looks like this and dropped it in the root of all three sites the app will need access to.

<?xml version=”1.0″?>
<cross-domain-policy>
<allow-access-from domain=”*.thedomain.com”/>
</cross-domain-policy>

It worked great on the first two sites which are either .Net web portals or a Cold Fusion site running under Tomcat.  (Don’t blame me, I can’t stand the app that we are running right now.  But I can’t change it right at the moment.)  But the third site is where I have a web service running.  It’s a .Net WCF service and flex has to access it through HTML so they are hitting http://OurDomain.Com:8080/foo.svc.

The developers at their company were scratching their head trying to figure out why they could not access a .svc file when everything else was working.  I was stumped as well because according to the logs the flex app was pulling the  crossdomain.xml file and hitting foo.svc.

They kept getting an error which stated,

*** Security Sandbox Violation ***

Connection to http://OurDomain.com:8080/foo.svc halted – not permitted from http://www.theirDomain.com/client/designer/client.swf

Well, it looks like most flex developers are used to hitting the older versions of .Net and web services that end with .ascx. When I was asked what a .svc file was it got me thinking that maybe there was something having to do with a .Net svc. I started hitting Google and looking for a solution. As I said earlier, apparently most flex developers are not used to hitting a .Net WCF Service, because we could find many post asking why they could not hit the service, but not many telling them how to fix it.

After more searching I finally found the solution on a Microsoft website. The flex app calls the web service with the following function, and apparently once it gets the WSDL information it does make an actual soap call to the server and it’s not a standard HTML Get.

_ws = new WebService();
_ws.wsdl = “http://ourdomain.com:8080/foo.svc?wsdl”;
_ws.loadWSDL();
var token:AsyncToken = _ws.getOperation(“METHOD”).send( param1 );

So, you have to give domain rights to allow the flex app to call a SOAPAction in the header of the request.  This is what I added to the crossdomain.xml to get it to finally work.

<?xml version=”1.0″?>
<cross-domain-policy>
<allow-access-from domain=”*.TheirDomain.com”/>
<allow-http-request-headers-from domain=”*TheirDomain.com” headers=”SOAPAction,Content-Type”/>
</cross-domain-policy>