Since version 7 of Adobe Flash Player there is a new feature of Flash which allows direct cross-domain data loading, authorized by policy files. If you deploying Xcelsius Dashboards in large corporate environments you may get trouble with cross-domain data loading:

2048: Security sandbox violation: %1 cannot load data from %2.
2070: Security sandbox violation: caller %1 cannot access Stage owned by %2.
2170: Security sandbox violation: %1 cannot send HTTP headers to %2.

In most cases it will help to put a properly configurated crossdomain.xml file to the ROOT of the Webserver/Applicationserver that hosts the SWF-Files. (Commonly this will be the Tomcat-Application Server of you BOXI Enterprise installation)

In the current version of the Adobe Flash player (9,0,124,0 from 9 April 2008) there are a few securtiy related improvements, which oblige you to adjust your crossdomain.xml policy file: The allow-http-request-headers-from tag has been added to the cross-domain policy file.

Below you will find two policy files which works fine:

• download crossdomain.xml policy file
• download crossdomain.xml policy file (most permissve, not recommended, has to be renamed to crossdomain.xml)

Copy this file to your default Webserver ROOT directory. In my environment using the Tomcat of BOXI the following path is the right one:

C:\Programme\Business Objects\Tomcat55\webapps\ROOT\

Now restart the Webserver/Applicationserver and everything should be fine.

More Information about Flash security and crossdomain.xml configuration will be provided by the following links:

• Abobe Technote: Arbitrary headers are not sent from Flash Player to a remote domain
• Abobe Developer Center: Policy file changes in Flash Player 9 and Flash Player 10 beta (7 pages!)
• Abobe Developer Center: Cross-domain Policy File Specification