Malformed XML can generate a security sandbox violation

This post was written by jimrobson on December 26, 2008
Posted Under: Flex

I’m in the process of developing a new Flex 3 RIA, and the server code is not yet written, so I’m using static XML files to provide data while I build out the UI functionality. The XML files are stored on my development machine in a subdirectory of the folder that holds the main SWF. It’s all a very standard setup, and I was successfully loading two files from the same subdirectory, so I was very surprised this morning when I got a security sandbox error:

Error #2070: Security sandbox violation: callerĀ  cannot access Stage owned by .

As implied by the reference to “Stage owned by”, this error is supposed to occur when you are loading a SWF from an unauthorized domain. I did some quick searching on Google, and everything I looked at had to do with loading a SWF. The stack trace did not clarify the issue either:

[RPC Fault faultString="Error #2070: Security sandbox violation:callerĀ  cannot access Stage owned by ." faultCode="Client.CouldNotDecode" faultDetail="null"] at mx.rpc.http::HTTPService/ 2006/flex/mx/internal::processResult() [E:\dev \3.0.x\frameworks\projects\rpc\src\mx\rpc\http \] at mx.rpc::AbstractInvoker/ mx/internal::resultHandler() [E:\dev\3.0.x\frameworks\projects\rpc\src\mx\rpc\] at mx.rpc::Responder/result()[E:\dev\3.0.x\frameworks\ projects\rpc\src\mx\rpc\] at mx.rpc::AsyncRequest/acknowledge() [E:\dev\3.0.x\frameworks\projects\rpc\src\mx\rpc\] at DirectHTTPMessageResponder/completeHandler() [E:\dev\3.0.x\frameworks\projects\rpc\src\mx\ messaging\channels\] at at at

I suspected something was wrong with the XML file, since the UI was successfully loading other files from the same directory. I opened the file in XML Spy, which immediately displayed a message to the effect that the XML was not well-formed. And sure enough, I had missed something. Here is what the XML looked like:

<page> <name>page1</name> <type>pagetype</type> <previewUrl>previewUrl</previewUrl> <path>page/path1</path> <promoTypes> </promoType>typeOne</promoType> </promoType>typeN</promoType> </promoTypes> </page>

You will probably see the error right away, but to my embarrassment I didn’t. How did the error creep in? Well, I had copied the sample XML from the design document (which I did not write) and pasted it into an XML file so that I’d have something to pull in for development purposes, and evidently I did not check it over very carefully. (If you don’t see the error, look closely at the promoType tags, and you’ll see that the opening tags have closing slashes.)

I fixed the XML, the error vanished, and I was able to resume forward progress. Clearly, the error message displayed by the debug player was not only non-helpful, it was actually misleading.

I thought I’d post this here in case anyone else runs into a similar problem. It may save you a few minutes of wonderment.


Reader Comments

Thanks good article

This was a real pain - much love

Written By dave on January 4th, 2009 @ 9:36 am

You saved me hours! Thank you so much..

Written By Cosma Colanicchia on January 23rd, 2009 @ 4:29 am

Very good article and Thanks for providing us this information…

Written By Karthikeyan on April 5th, 2009 @ 11:46 pm

Thanks I was just in the same boat thankfully i found your post!

Written By Abdullah on June 21st, 2009 @ 7:11 pm

You have no idea how much this helped me. Thanks!

Written By Chris on June 24th, 2009 @ 5:51 pm

Thanx a lot… I was debugging from 1 day.. your article helped a lot..
thanx once again :)

Written By Rohini on July 31st, 2009 @ 12:43 am

Ran into the same problem and thought it was the cross domain XML access problem that Adobe talked about, even though everything was being done on my localhost. Your solution was right - turns out one of my files was using malformed XML. Thanks!

Written By Derek on October 3rd, 2009 @ 12:31 pm

Wow same problem for me. I have been beating my head against the wall on this. Sometimes error messages make you chase snipes. Based on this article I debugged my flex code. Copied and pasted the xml returned from the php script to flex. Pasted it into w3cschools xml validation tool and sure enough poorly formed xml. After fixing the xml in the php script no more sandbox error. Thank you for this article!

Written By Rob on January 20th, 2010 @ 12:00 pm

Saved me going round in circles… thanks!

Written By Matt on March 8th, 2010 @ 11:07 am

Hey thanks for that…saved much of my time(though i already wasted some of it :) ).. my head was spinning because of the misleading message.

Written By Komal on July 4th, 2012 @ 3:26 am

Thanks a lot.. I just ran into the same issue.

Written By SuperDeveloper on January 27th, 2013 @ 1:50 pm