Will Perone

Uncaught Exception: Permission denied to call method to Location.toString

You may have noticed recently that some Flash applications (maybe yours) are not connecting to retrieve remote content anymore. If you're running FireFox, you are getting this cryptic message in the error console: "Uncaught exception: Permission denied to call method to Location.toString". Only some users are getting this error and others aren't.

What's going on here? As it turns out, there was a Flash security update between version Flash 9.0.115.0 and 9.0.124.0 that changed the behavior of the crossdomain security policy file. A number of changes have been made that potentially break things but one of note here is that arbitrary headers can not be sent anymore from a remote domain unless you specify a security policy to do so. How do I do this? Thankfully, it's an easy one line fix in your crossdomain.xml file.

Before:
<cross-domain-policy>
	<site-control permitted-cross-domain-policies="all"/>
	<allow-access-from domain="*" />
</cross-domain-policy>
After:
<cross-domain-policy>
	<site-control permitted-cross-domain-policies="all"/>
	<allow-access-from domain="*" />
	<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>
For more information on the new allow-http-request-headers-from tag go to Adobe's TechNote page on arbitrary headers not being sent

81 Comments
Julius L 17 7
I seem to suffer from such an error and although it might be easy for you to fix this it is not the same for me simply because I don't know how to get into my crossdomain.xml file.
Will 0 0
The crossdomain.xml file resides on the server which you are fetching content for your Flash application/game from (not necessarily the server the Flash app/game is hosted on). If there is not one on the server (it assumes it's in the root of the website by default) then one needs to be created for the networking to work in the Flash app.
Nate 2 2
Hi there. I'm noticing that some of our firefox users are getting this error when viewing a page that has a flash file on it. I created a file called crossdomain.xml and uploaded it to mydomain.com/crossdomain.xml. But, this
didn't seem to fix the problem. Below is the code that I used. Any idea why this didn't work?
Will 1 0
Sorry, I've disabled certain tags to prevent injection attacks. This is the exact crossdomain.xml file I have on my server:
<b>
&lt;?xml version="1.0"?&gt;
&lt;!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"&gt;
&lt;cross-domain-policy&gt;
&lt;site-control permitted-cross-domain-policies="all"/&gt;
&lt;allow-access-from domain="*" /&gt;
&lt;allow-http-request-headers-from domain="*" headers="*"/>
&lt;/cross-domain-policy>
</b>
If it is your Flash app you are developing, you will need to also in the Actionscript code specify the crossdomain file like so:
Security.loadPolicyFile("http://(your url)/crossdomain.xml");

If you still have questions, send me an email.
Will 1 46
Note, this is different from specifying the 'Socket Policy File' which must be served from port 843 on the server when making socket connections from Flash 9 (latest rev).
Will 1 0
<b>Note</b>: I've reenabled html tags in comments, so posting code should work fine now.
Mark 6 9
I think with a bit more effort I will understand this. To clarify, is it true to say that clients can do dothing to by-pass this if they have Firefox3 and Flash 9.0.124.0 (or better) and that the serving web sites have to apply a fix ?
M.Reeder at st-paulshigh.manchester.sch.uk
Will 0 0
Yes, there is nothing that a client/user can do to get around this aside from finding and reinstalling a previous version of Flash... These are all changes the server/content creators need to implement thanks to our buddies at Adobe :-/
Nate 0 0
Let me try and understand this a little more... Is this crossdomain.xml file only needed if your .swf needs to access data from another domain? And, is at all possible that you might open yourself up to a security risk if you add such a crossdomain.xml file using the wildcard * ? Or, does this merely allow the swf to access data from a domain if and only if you access another domain in your actionscript code?
Nate 0 0
And, one more question that I have is this: Why does this error only occur for some Firefox users that have this latest version of Flash installed and not others?
Will 0 0
Yes the crossdomain.xml file is only needed if your swf needs to download/upload data from another domain (not the other way around); if your swf is loading stuff from the same domain that it's sitting on then everything should be ok. The issue I ran into was that my swf although originally on my website, spread throughout the internet thus there were all these different domains hosting the swf trying to access my content.<br>
The allow-access-from domain="*" wildcard is used to give access to all possible domains hosting swf files trying to access the server with the crossdomain file on it. You can specify particular domain names there instead if you only want those domains to access your stuff. This is great when you have a sitelocked game for example.<br>
The error only occurs for people with the latest Flash installed because Adobe unrolled this security 'feature' with that release. The Internet Explorer Flash plugin seems to not have this feature <i>yet</i>.
tt 2 0
@Nate

You can only see this error in Firefox if you have Firebug installed.
Nate 0 0
@tt

I do have Firebug installed and this error does not occur for me. The only reason that I know this error occurs for some of our Firefox users is that we have an window.onerror function defined that sends me an email when this error occurs for our website visitors. When I access our website with Firefox, I do not get this error in Firebug nor do I get this error emailed to me.
Jake 0 0
I have FF3, firebug and I assume, the latest version of flash and this error is appearing when I embed youtube videos. The videos still load... Worth youtubes time and effort to look into a fix?
jsgoupil 0 0
I don't have Firebug installed right now, and I can get this error with a Flash6 swf.
Having a crossdomain.xml file won't help me... I'm wondering what I should do. I don't want to update my SWF to a higher version.

(Will? you are the webmaster? you should put timestamp in posted comments)
Will 0 0
jgoupil, yes I should do that.... the whole blog engine here is something I wrote a while back and it needs some overhauling. I'll work on adding timestamps :)

You are getting this error with a Flash 6 swf? Is the version of Flash installed on your computer Flash 9 and the swf you are checking is compiled for Flash 6 or do you have just Flash 6 installed on your computer as well?
You can check by trying to load any Flash 9 games like <a href="http://willperone.net/Projects/Game2/game2.php">Beat Me Up</a>. If you don't have Flash 9 installed then I'm not sure what the error could be aside from that in your case it might actually be a javascript error.
jsgoupil 0 0
My SWF is a Flash 6, my clients must have Flash 6+... so I won't say they all have Flash 9. But the swf file is compiled with Flash 6.

I'm not totally sure the error comes from Flash 9 because I just installed Flash 8r42 and I have the same problem.
I'm going to dig a little more in this problem to find a solution.
jsgoupil 0 0
And the crossdomain.xml doesn't help... It's not even fetched.
Will 0 0
Can you post the url? I'll take a look at it too.
coreyb 1 0
hey will. i'm hoping you can help me understand my specific problem. i have an iframe from domain A calling in an html page from domain B and have the crossdomain.xml file set up on domain A and domain B yet i am still getting this error in FF2 and FF3. i'm not seeing the error with firebug but rather with the web developer toolbar. please let me know if you can share any thoughts on this...

http://www.inbluelight.com/cnet/test/iframe_js_error/iframe.html
Will 0 0
Someone else is having a similar problem with iframe. In your case, have you tried commenting out that javascript code and just doing the object/embed to lower down the problem?
coreyb 0 0
yep - i still get the error even with a simple object/embed setup - check the page again to see. thanks for taking a look at this. i'm really stumped (and need to use the js implementation!).
Will 0 0
Yes, I'm aware of the problems with some versions of IE that require that javascript; I just wanted to eliminate that to control the test. Does this occur when the iframe includes something of the same domain inside it or only when it is from another domain? Your crossdomain.xml files look fine. AllowScriptAccess should be defaulted to always so that should not be an issue as well.
Will 0 0
This could actually just be a bug in FireFox, previous versions of FireFox did not support iframe very well if at all... perhaps they never quite got it right.
Will 0 0
This is a shot in the dark, but try setting your html doctype to 4.0 transitional in both pages as well.
Craig 0 0
8/1/2008
I've added a crossdomain.xml file with the exact same contents that you've posted to the root of my site. And there is no difference at all when the Flash ad loads on it - FF3 with Firebug still displays the error. Am I misunderstanding which site needs to have the xml file in it? The site which has it currently is the site that loads and displays the Flash ad, not the server that houses the ad. Any additional thoughts for why this solution isn't working?
Craig 0 0
8/1/2008 (update)
I've tried this solution on an asp.net 3.5 site and it DID work. However, the first site I tried it on is using MVC and it didn't work for that.
Will 0 0
The server which the Flash object retrieves the content from (<i>which is not necessarily the server hosting the Flash object</i>) needs to have the crossdomain.xml.
coreyb 0 0
hey will - thanks for the shot in the dark :)
unfortunately i don't think that did it. does anyone have any links to adobe or firefox addressing this as an issue? i wish there was a concrete document stating that there is a problem with the latest flash player or with firefox.
Keith 0 0
Hi Will, I have a flash file stored in cms.smartplanetcms.com and call using domain www.mitavite-asia.com. The flash can be displayed but suppose we have click event but not able to handled. Page in http://www.mitavite-asia.com/index.asp?LanguagesID=1&TitleReferenceID=652&CompanyID=10. If call from http://cms.smartplanetcms.com/index.asp?LanguagesID=1&TitleReferenceID=652&CompanyID=10, it works fine. Please advice. Thanks. I've put crossdomain.xml file stated above into cms.smartplanetcms.com domain.
Will 0 0
When I go to http://www.mitavite-asia.com/index.asp?LanguagesID=1&TitleReferenceID=652&CompanyID=10, all I get is this:
msxml3.dll error '80072ee2'

The operation timed out

?, line 0
Rob 0 0
Hi, We dont currently have a wide open crossdomain.xml. We specify only a couple of sites but we have heard reports of an issue with out flash player for a couple of users. Is here a fix without opening it up for the world?

Will 0 0
Yes there does appear to be something else that can also cause this error to occur even when you have no javascript on your site. It has something to do with iframes; it is my suspicion that it may be related to the page encoding/doctype but I have not figured it out. If you figure it out, please let me know and I'll update the article!
Derrick 0 0
I don't know what's wrong. All of a sudden I wasn't able to upload pictures, click certain links. Is there something wrong with my p.c? If so what could I do to repair it and this whole xml file process is new to me so a further description would be helpful
Will 5 5
Derrick, there is nothing wrong with your computer (as a user). These are problems the server needs to fix for them to work correctly. If some web applications you are using are not working, you need to notify the people that make them to get them to fix it.
David 0 0
Hey , im suffering of the same problem , but , i dont know what are you talking about , i barely know what is the problem , if somebody can tell me , in easy steps , what to do , i'll appreciate it, thank you very much
sydawn 0 0
Hello, I am suffering from this aswell. My uploader and site script is sending files to a storage server but I am not sure, it may even be the connection between my PC and the uploader. I have downgraded my flash and evem added your above mentionned script and nothing changes..please help me.
Will 0 0
You need to be a little less vague there sydawn.
Paul 0 0
Don't see date on this... hope you still have active. Can't upload Ebay pics & some other content on Firefox running in Windows XP. Don't have FF3 yet but seems if my own problems are due to unwise alterations of settings by me or my system, they carry over to version 3, so I'd rather fix now. Same "uncaught exception..." from top of this thread appears message for me, too. Did a reinstall of Firefox 2.0.0.16 and un/reinstall of flash player WIN 9,0,28,0 (also odd: version test for Adobe flash player says an "SWF movie" appears to display the version, and it sure doesn't look like a "movie" to me, but I don't know what a "SWF" even is.) Since finding your site here, it seems hopefully that it's something others had too, so maybe it really needs something I know nothing about, rather than spend another 3 days searching for what may have caused unknown changes to my previously excellent clean-running system.
Will 0 0
A SWF is a Flash file. They are still called movies because historically they were used for creating animated movies although these days Flash SWF's are created for many purposes including online stores, user interfaces, games, movies, etc. I haven't tried looking to EBay specifically if they have this issue since I don't have an EBay account, but they may well have this issue and if so, there's nothing you as a user would be able to do about it. It would be something EBay would have to fix on their end. This problen will occur on every version of FireFox with Flash 9.0.124.0 and higher. You could try downgrading to an earlier version of Flash to get rid of it although I'm not sure where to find earlier versions of it.
Andrew 0 0
My hotmail doesn't work. Can you tell me EXACTLY what to click on and what to do to fix this problem.
Will 0 0
This is not my main job diagnosing this error, I am in the middle of building my own company and thus only have a certain amount of time to dedicate to addressing people's issues with this. If you are having problem with hotmail please email their staff with a bug report.
Willy 0 0
Hey , what exactly is a flash security , sorry . very bad in computers
anna 0 0
you said if we have more questions to email you but i dont see an address....but i am having the same problem and am on firefox...i dont understand i dont understand how to do the crossdomain or any of it..please help and thank you
Will 0 0
The email link is on the left menu bar for the website.
Rob H 0 0
It's not always to do with cross domain data requests. There is a bug in the Flash player:

http://bugs.adobe.com/jira/browse/FP-561
Ray S. 0 0
You might want to check out this as well
http://www.adobe.com/go/kb403030
It may or may not pertain to this problem, but if it does, it means that there are some SWFs that cannot be accommodated with the policy files.
Wr 0 0
SA Test
ss a person from london 0 0
basicly what happened was that every time i try to use a program the same error comes up
Al 0 0
Hi Will, I am using frames and one of the frame opens a the webpage with SWF file and other contents. On IE6 and IE7, I am getting JS 'Permission denied' error whereas in FF2 and FF3 I am getting permission denied error on Location.toString and Window.Vars. Although everything got loaded fine yet it looks ugly and need to be fixed. I check crossdomain.xml on our web server and it wasn't even there. So I created one and put it in the root as you discussed in the start of discussion. It didn't work.
Will 0 0
I have also gotten this error with jQuery / prototype conflicts. You might want to check that if you are using either one of those. In short it might actually be a javascript error. You might want to check out your page in the firebug debugger.
Al 0 0
Thanks Will, it looks like there is something wrong when we use dojo widget with Flash. Firebug points to a dojo horixzontal_scroll_widget.js for this error. Any thoughts on that?
Will 0 0
I've never used Dojo so I'm not sure about that in particular but I do know sometimes FireBug/FF get confused and trip up over themselves when you have 'inspect' mode on esp if you have some javascript watches on. Sometimes I have to outright wipe the cache and restart the browser for it to sort itself out.
Russel Jan 24, 09 0 0
Hello, I am glad I came across this thread b/c this error has been driving me nuts.

I placed the crossdomain.xml file into my root path of the webserver but its not resolving the error. I am loading a flash file from another domain and I don't have access to the flash/action script itself.

Is there someway to reference the crossdomain.xml file in the html/javascript that calls the flash file from the other domain? If not, what do I need to provide the flash developers to add to their flash files so this error will go away.
Russel 0 0
interestingly enough, adobe says there is no fix for it yet (and just ignore it)

http://bugs.adobe.com/jira/browse/FP-561
GJ 0 0
Im hoping this isnt part of a backroomdeal in a browser-war , it could cost Firefox a great deal of sympathy
Jen 0 0
Well I have been putting up with his problem for ages now, as well as other repeating nuisance error messgaes in FF when loading Ebay and telstra sites but also others as well. I take it from various above comments that there is next to nothing that a user can do about it. It makes loading very slow. It seems amazing that it has taken so long for a fix to be found. 8/6/2009
Carol 0 0
I am not a developer like you guys, but I am having the same problem in Firefox AND IE. My operating system is Windows XP PRO. I was getting a bunch of assorted smaller errors that seem to have disappeared as Firefox just updated, and I forced an update with windows, and checked Java and it is up to date as well.
Assorted errors otherwise still persist on the Firefox errors window (java) parsing, no element found,zoom, assorted scrollbar errors etc.
Funny thing is I can still go anywhere on the net either using Firefox or IE, using my bookmarks, going from search result pages, or directly typing a webpage address and there is no problem, EXCEPT when I want to go to ONE specific page. Yes I checked to make sure it was not blocked by the firewall,and virus protection programs, or the browser settings, and added it into any setting that WOULD ALLOW it. I've been chasing my tail with this for quite a while, almost a month now. I even checked with my ISP Provider - no problem there, and I checked with others who use this same page - which requires a login - no problem there either. I am considering rolling back the flash player to see if that will help as I must have access to this page for my in home business. If you wish to try the link here it is - see if it will load for you. http://www.watkinsonline.com
After waiting quite a while, I end up with a blank page, it says it's done, and the page title is there, but no content - I was wondering if it is an about blank hyjack??
I have Java 6 Standard Edition update 14 (buile 1.6.0_14-b08) from Sun Microsystems, Inc. and I have Adobe Flash 10 but not the shockwave as it turns out ( I just ran the adobe page that checks these programs - which that does jog my memmory, I remember trying to upgrade that before - several times, and it said it couldn't do it or find something close to replace it or something like that. http://www.adobe.com/shockwave/welcome/ that is the page to test these 2 programs. Anyway I will install the shockwave - since I am missing it and see if that helps ...
Carol 0 0
So I installed the Shockwave and still no change !! so I am going to try to roll back the flash next.
Will 0 0
The only thing on that page that is Flash is strangely enough a Verisign certificate thing. Maybe the problem lays with Verisign not conforming to the standard correctly. As a user the best thing you can probably do in this situation is just roll back your Flash to an earlier version and notify the owner of the website that this is occurring; it is something they should fix as many people are probably experiencing trouble.
Ayya durai 0 0
Thanks for ur help Can you tell me how to use this XMl for resove the Error?

I have created the XML like this. but this Error did not clear.

<?xml version="1.0" encoding="iso-8859-1"?>
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*" />
</cross-domain-policy>
<surveyFeedback><feedbackId>133</feedbackId>
<bgColor>0xDAEBF5</bgColor>
<subTitle><![CDATA[&nbsp;]]></subTitle>
</surveyFeedback>
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

Please post here if you have any script for this.
Ayyadurai 0 0
Hi will,
I need to get the PARENT ID from the child window in the cross domain. this is my code. which is working fine in same domain not in cross domain. Please can you post the script.
parent.document.getElementById('transpdiv').style.display='none';
Will 13 1
Sorry, raw xml won't show up here. You'll have to html encode it but I can see the xml on the server you posted. A crossdomain file can only have the crossdomain stuff in it, it can't have stuff like bgColor, feedbackId, surveyfeedback etc in it. And remember it has to be served on a special port on the server.
Will 0 0
Not sure what you mean by your second question. That code should work but it's javascript, not xml.
Ayyadurai 0 0
Hi will,
Thanks for your reply i need to get the ParentID in cross domain for CLOSE the back end window. this code(parent.document.getElementById('transpdiv').style.display='none';) is working fine in same domain. but when i go to use this code(FEEDBACK TAB) in another domain i am getting this Javascript Error(Permission denied to get property Window.document) Please can you tell me your suggestion.
Will 0 0
I don't know if you can close a window in another domain... I know you can close your own window through doing:
<pre>
self.close();
</pre>
What I've done in the past to close a window is redirect to another page that immediately closes itself onload:
<pre>
&lt;body onload="self.close();"&gt;&lt;/body&gt;
</pre>
Doug 0 0
I tried this and I still get the error in Firebug? Does anyone know whats going on? Flash Player 10 is the plug in version I have installed for Firefox running on Ubuntu.
Im a noob 0 0
Im a noob at this cross domain but im trying to get to tppcrpg.net/ but it says permission denied to call method .... lovation.tostring. (On firebug)Trying to learn this cross domain so it gives me perrmission. No idea what idea u guys are talking about but if anyone is wiling to help me i shall post a screen shot of wat u want to see to help me :) Thanks a Million i have a hard time on this stuff :(
A Suggestion 2011/01/140 0
First, - great post Will - fuzzy intermitant errors are always hardest to track and fix - and this one was well tracked by you - thanks.
Next - for any Noobs - not sure if this helps anyone else - FF303 and FF306 both give the message, viewed by clicking Tools-Error messages - clear your error messages - then load an offending page. An example is the music link at www.omergoldman.com - which has a left and right iframe and the right iframe plays a series of youtube videos - you will see the error message pop up - but usually the videos play anyway, so its a ?warning? and not fatal in my case anyway. I don't like error messages, but if the content flows, get the fly out of the beer and enjoy the party. I used FF303 and Flash8 on Win2K, SP4 - worked fine despite error message. Also worked with IE.
Next, for others, I went to a fresh XP install last night, FF306 and same Flash8 install - content wouldn't flow - no tunes. The javascript can be viewed by right-click-open frame new window, then view source etc. and its an html inner call in the script that rotates youtube tunes in 2 areas of the page. Hope ya'all enjoy Shakira, Sade and Santana etc.
So what we have here is a bug that is a combination of browser design, flash version and cross domain access, primarily (at least in my case) fatal in iframes.
Solution might be to detect browser and location.replace out of a page that has a combination you know crashes fatally (pain), or provide users with a button "Can't here music? Click here" and let them pop open the tunes direct at the site - in this case youtube, so its not an embed video - its direct at the site, then when you pop open that window, give the window a name, and pop open the next song with the same window name, which usually will replace the content with the next content (another pain, but somewhat reliable behavior).
In short, when you have an intermitant error, browser/flash/domain/content error, chasing after it with tables of user configuration is a coding nightmare, but giving users a button to open content in background (new window) may give you the "effect" you sought - in this case a series of songs which are heard more than seen - and you eliminate the error, caused by Adobe - a firm not known for fixing anything, considering their reader (new topic) seems to have the Microsoft "pig" disease of getting fatter every year. You might try Sumartra - great little reader I give to most of my clients.
2011/02/220 0
Commentwhat is this
igor 2011/03/070 0
I placed the crossdomain.xml with the content provided into our web site root, but still see the same error:
Permission denied for <http://embed.buto.tv> to call method Location.toString on <http://localhost2.example.com>.
:(
Any other variants how to fix this? (FF 3.6.13, Flash Player 10.2.152.32)
tjnpyfmympg 2011/04/13 Contact Me0 0
wupFDi <a href="http://ewmgzvjnqcbi.com/">ewmgzvjnqcbi</a>, [url=http://ceorwfqvcxpc.com/]ceorwfqvcxpc[/url], [link=http://jugbbwfneadx.com/]jugbbwfneadx[/link], http://jqogjkkbwoir.com/
marina 2011/04/260 0
Hi ,
I also replaced crossdomain.xml with the content in this site,
but get the same error in FF :
permission denied to http://banners.bportal.com to call method Location.ToString.
What can you suggest?
thank you in advance.
marina 2011/04/260 0
And this error prevents from execution the following javascript code on the page
Will 2011/04/260 0
You may have a crossdomain issue outside of Flash. For example, if you have an iframe which is loading a webpage from a different domain and you try to access its contents from the containing website that will also give you a crossdomain issue but for valid reasons.
Javier 2011/11/020 0
This might be old (we are now on Flash 11), but you still saved my life (more likely my business). Thanks!
Heidi 2011/12/29 Contact Me0 0
The gneuis store called, they're running out of you.
sting 2012/01/21 Contact Me0 0
I found out about this amazing site: http://www.fight4fun.it/ and, need help with how this website was done. I really don't like flash websites and the main reason is when you want to send a friend a specific page you can't as it's all the one URL. but I like the style of flash.
durgesh bhattad 2013/04/17 Contact Me0 0
where to put cross domain.xml file and how to call it, is there in security issue
manufacture 2015/06/26 Contact Me0 0
go here for the top Todd Hasson around
543fdsstr 2016/10/08 Contact Me0 0
Njrjd842ufshbcs

<- for private contact