Arbitrary headers are not sent from Flash Player to a remote domain
Issue
When you use GET and POST requests (defined with XML.addRequestHeader() and LoadVars.addRequestHeader() in ActionScript 2.0, or URLRequest.requestHeaders in ActionScript 3.0) to send arbitrary HTTP request headers in Adobe Flash Player 9.0.115.0 or later, the requests fail and the headers are not sent.
Reason
To improve website security and help defend against malicious HTTP headers sent by content from other domains, Flash Player performs a cross-domain policy file check before allowing SWF files to send headers to another domain. The cross-domain policy file for the remote domain must specify which headers it will accept from specified domains for Flash Player to send the header.
Note: Some headers cannot be sent by the Flash Player at all. For a complete list of blacklisted headers, refer to "You receive an ActionScript error when an HTTP send action contains certain headers" (TechNote kb403030).
Solution
Domains that wish to accept headers from a remote SWF file must use a cross-domain policy file to indicate which headers Flash Player will accept. The <allow-http-request-headers-from> tag has been added to the cross-domain policy file specification for this task. Unlike the <allow-access-from> tag in policy files, this tag grants permission for information being pushed to the server (headers) rather than information being pulled from it (text files, etc). It has three attributes:
- domain (Required) -- Specifies a domain that will accept the headers specified in the headers attribute. Wildcards ("*") can be used to specify all domains or all subdomains of a specific domain.
- headers (Required) -- A case-insensitive, comma-separated list of allowed headers for the domain specified in the domain attribute. Valid characters, per RFC822, are ASCII 33-41, 42-57, and 59-126. This includes all printable non-space ASCII characters except colons (which end a header name), and asterisks (which are used as wildcards). Wildcards can be used to specify all headers, or can be used with a single header name as a suffix allowing for all headers that start with the string value preceding the wildcard character.
- secure (Optional) -- This indicates whether non-HTTPS requests can be made to HTTPS URLs. Supported values include true and false, where true is the default for an HTTPS policy file and false for any other policy file.
Examples
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<!-- This domain can accept a MyHeader header from a SWF file on www.example.com -->
<allow-http-request-headers-from domain="www.example.com" headers="MyHeader"/>
</cross-domain-policy>
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<!-- This domain can accept an AnotherHeader header and
all headers that begin with "X-MyPrefix-" from any SWF file-->
<allow-http-request-headers-from domain="*" headers="AnotherHeader,X-MyPrefix-*"/>
</cross-domain-policy>
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<!-- This domain can accept any header from a SWF file on
any subdomain of example.com and supports https requests -->
<allow-http-request-headers-from domain="*.example.com" headers="*" secure="true"/>
</cross-domain-policy>
Allowing SOAPAction header for web services
When using Flash Player in conjunction with web services, make sure the SOAPAction header is allowed. The following shows what a crossdomain.xml file may look like to enable SOAPAction for requests made by SWF files on the domain www.example.com.
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<!--This domain can accept the SOAPAction header from a SWF file from www.example.com -->
<allow-http-request-headers-from domain="www.example.com" headers="SOAPAction"/>
</cross-domain-policy>
For more information on cross-domain policy files, refer to "External data not accessible outside a Flash movie's domain" (TechNote tn_14213).
This content requires Flash
To view this content, JavaScript must be enabled, and you need the latest version of the Adobe Flash Player.
Download the free Flash Player now!
