Today I burned out sometime fixing an issue in an application related to security violation of a SWF file when calling a webservice hosted on another domain. At first even though if it was quite obvious that the error had something to do with the crossdomain, I was not sure what was happening, but after some trial and error and some searching, found that this issue occurs when one thing is missing in the crossdomain xml. The missing node was –
<allow-http-request-headers-from domain=”*” headers=”SOAPAction”/>
This addition was made with the update in Adobe Flash Player 220.127.116.11 which means that if a domain wants to receive headers from a remote SWF it should have a crossdomain xml with the above node added. Find more information here – http://bit.ly/a04r0m . After reading this technote came to know that this update was made in order to increase the security level and defend against malicious HTTP headers sent by content from other domains. Also was made aware that not all headers can be sent from Flash player and list of blacklisted headers can be found here – http://bit.ly/cPy6CW.
Ideally your crossdomain in these scenarios when working with webservice should look like :
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <allow-http-request-headers-from domain="*" headers="SOAPAction"/> </cross-domain-policy>
All these kind of issues only pops up once an application is developed and once we finish integration with a backend. So, better check this out guys whenever you deal with http headers and remote SWF ,so that you dont waste considerable time wondering where did you go wrong. Many of you might be already aware of this setting and those who don’t yet know about this please take a note.