Channel.Security.Error and webservices


Today I burned out sometime fixing an issue in an application related to security violation of a SWF file when calling a webservice hosted on another domain. At first even though if it was quite obvious that the error had something to do with the crossdomain, I was not sure what was happening, but after some trial and error and some searching, found that this issue occurs when one thing is missing in the crossdomain xml. The missing node was –

<allow-http-request-headers-from domain=”*” headers=”SOAPAction”/>

This addition was made with the update in Adobe Flash Player 9.0.115.0 which means that if a domain wants to receive headers from a remote SWF it should have a crossdomain xml with the above node added. Find more information here – http://bit.ly/a04r0m . After reading this technote came to know that this update was made  in order to increase the security level and defend against malicious HTTP headers sent by content from other domains. Also was made aware that not all headers can be sent from Flash player and list of blacklisted headers can be found here – http://bit.ly/cPy6CW.

Ideally your crossdomain in these scenarios when working with webservice should look like :

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
  <allow-http-request-headers-from domain="*" headers="SOAPAction"/>
</cross-domain-policy>

All these kind of issues only pops up once an application is developed and once we finish integration with a backend. So, better check this out guys whenever you deal with http headers and remote SWF ,so that you dont waste considerable time wondering where did you go wrong. Many of you  might be already aware of this setting and those who don’t yet know about this please take a note.

Cheers

Advertisements

Published by

Sunil Nair

I am a Software Developer currently working on developing Rich Internet Applications using Adobe Flex/AIR. I have had diverse experience of developing application in software industry for the last 4 years.

3 thoughts on “Channel.Security.Error and webservices”

  1. Hi Sunil,
    I am facing a similar problem.
    I have a flex website using webservices. The webservice and flex website are hosted on the same server. When i run the website using http://localhost/myproject/index.html all runs fine. However, when i try to run the website using the server name http://testserver01/myproject/index.html, it gives me the error. Is this related to the same issue you mentioned? If so, is there any security issue in updating the crossdomain file?

    1. Hi Batul,
      Don’t think you have the same issue as mentioned the post, since the post is related to when you deal with webservice and when you have the webservice and SWF file in 2 different servers.
      But, I am wondering why do you have a crossdomain if you have both the webservice and SWF hosted on the same server? Is that required? Would you be able to show the error that you got so that we can be more sure about what your actual problem might be?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s