Unity Web Player and .NET WebAPI RESTful crossdomain.xml?

Hello,

I've created a Unity 4.5.2f1 Web Player game and trying to access an API I created on a separate server with Microsoft WebAPI 2 using HTTP RESTful call.

For example purposes, the Web Player game is hosted at: http://game.myserver.com/play.html
and the API is hosted at: http://api.myotherserver.com/api/databaselookup

I can successfully call the API if I run in the Unity editor if I have the Build Setting set to "PC, Mac & Linux Standalone" but as soon as I switch it to "Web Player" I get the dreaded "System.Security.SecurityException: Unable to connect, as no valid crossdomain policy was found".

I created and uploaded a crossdomain.xml file to the server in the root (ANSI encoded) - so, from the example URLs above, that would be http://api.myotherserver.com/ (api/databaselookup is the MVC WebAPI Controller handling the HTTP GET request)

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>​

I added a system environment variable for ENABLE_CROSSDOMAIN_LOGGING = 1 but the Error.log does not provide the details on the crossdomain.xml I was expecting (none actually).

So, I feel I'm following the documentation in the Unity Manual for the "Security Sandbox of the Webplayer" but its not working for me. Any suggestions?

Anyone else out there roll their own RESTful API using the Unity Web Player?

Thanks!

 

Couple things...

#1 - If your browse to http://api.myotherserver.com/crossdomain.xml what happens? It's possible that you don't have a correct MIME type configured for .xml files.

#2 - Your crossdomain.xml file needs to be UTF-8 Encoded. If you need to change the encoding, install Notepad++ and you can change the encoding and resave it. If you're uploading with an FTP application, make sure it's uploading it as binary and not ASCII to make sure it's not hosing the encoding.

#3 - Your policy file is a bit bare... you should specify that you want to allow access from non-https domains and it's a good idea to lock it down to master-only, though these steps aren't absolutely necessary. In your case you can literally copy and paste the crossdomain policy from api.facebook.com. Once you have it working you can replace the * with the domain of your other website. Here's the Facebook policy file: http://api.facebook.com/crossdomain.xml

The reason it works in the editor is because it doesn't validate the crossdomain.xml file.

Once complete your policy file should look like this (replace the domain with * for testing)

Code (csharp):

1.  
2. <?xml version="1.0"?>
3. <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
4. <cross-domain-policy>
5.     <allow-access-from domain="game.myserver.com" secure="false" />
6.     <site-control permitted-cross-domain-policies="master-only" />
7. </cross-domain-policy>
8.  

One thing to note just so you understand... even though the WebPlayer is run locally at the client, it still as an "Origin" which is the domain where the file was served from. So, since the .unity3d file was downloaded from game.myserver.com, that's the origin and that's the domain that you use in the from domain. That way if someone were to try to rip off your game and host it on another server it won't work because Unity won't allow it to connect to api.myotherserver.com since the crossdomain.xml file prohibits it.