Issue

When you use GET and POST requests (defined with XML.addRequestHeader() and LoadVars.addRequestHeader() in ActionScript 2.0, or URLRequest.requestHeaders in ActionScript 3.0) to send arbitrary HTTP request headers in Adobe Flash Player 9.0.115.0 or later, the requests fail and the headers are not sent.

Reason

To improve website security and help defend against malicious HTTP headers sent by content from other domains, Flash Player performs a cross-domain policy file check before allowing SWF files to send headers to another domain. The cross-domain policy file for the remote domain must specify which headers it will accept from specified domains for Flash Player to send the header.

Note: Some headers cannot be sent by the Flash Player at all. For a complete list of blacklisted headers, refer to "You receive an ActionScript error when an HTTP send action contains certain headers" (TechNote kb403030).

Solution

Domains that wish to accept headers from a remote SWF file must use a cross-domain policy file to indicate which headers Flash Player will accept. The <allow-http-request-headers-from> tag has been added to the cross-domain policy file specification for this task. Unlike the <allow-access-from> tag in policy files, this tag grants permission for information being pushed to the server (headers) rather than information being pulled from it (text files, etc). It has three attributes:

  1. domain (Required) -- Specifies a domain that will accept the headers specified in the headers attribute. Wildcards ("*") can be used to specify all domains or all subdomains of a specific domain.
  2. headers (Required) -- A case-insensitive, comma-separated list of allowed headers for the domain specified in the domain attribute. Valid characters, per RFC822, are ASCII 33-41, 42-57, and 59-126. This includes all printable non-space ASCII characters except colons (which end a header name), and asterisks (which are used as wildcards). Wildcards can be used to specify all headers, or can be used with a single header name as a suffix allowing for all headers that start with the string value preceding the wildcard character.
  3. secure (Optional) -- This indicates whether non-HTTPS requests can be made to HTTPS URLs. Supported values include true and false, where true is the default for an HTTPS policy file and false for any other policy file.

Examples

<?xml version="1.0"?>
		
	    <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
		
	    <cross-domain-policy>
		
	    <!-- This domain can accept a MyHeader header from a SWF file on www.example.com -->
		
	       <allow-http-request-headers-from domain="www.example.com" headers="MyHeader"/>
		
	    </cross-domain-policy> 
<?xml version="1.0"?>
		
	    <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
		
	    <cross-domain-policy>
		
	    <!-- This domain can accept an AnotherHeader header and 
		
	                all headers that begin with "X-MyPrefix-" from any SWF file-->
		
	       <allow-http-request-headers-from domain="*" headers="AnotherHeader,X-MyPrefix-*"/>
		
	    </cross-domain-policy> 
<?xml version="1.0"?>
		
	    <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
		
	    <cross-domain-policy>
		
	    <!-- This domain can accept any header from a SWF file on 
		
	                any subdomain of example.com and supports https requests -->
		
	       <allow-http-request-headers-from domain="*.example.com" headers="*" secure="true"/>
		
	    </cross-domain-policy> 

Allowing SOAPAction header for web services

When using Flash Player in conjunction with web services, make sure the SOAPAction header is allowed. The following shows what a crossdomain.xml file may look like to enable SOAPAction for requests made by SWF files on the domain www.example.com.

<?xml version="1.0"?>
		
	    <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
		
	    <cross-domain-policy>
		
	    <!--This domain can accept the SOAPAction header from a SWF file from www.example.com -->
		
	       <allow-http-request-headers-from domain="www.example.com" headers="SOAPAction"/>
		
	    </cross-domain-policy> 

For more information on cross-domain policy files, refer to "External data not accessible outside a Flash movie's domain" (TechNote tn_14213).

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy