If you send headers to a domain that does not match the domain where the SWF is hosted, you need update your crossdomain.xml file to allow them to continue to work with Flash Player 9.0.124.0. While this is discussed in the ADC pre-announcement, it could use a bit more detail. Flash Player support wrote a great technote on details of how to set up <allow-http-request-headers-from>.
http://kb.adobe.com/selfservice/viewContent.do?externalId=kb403185
One of the examples from the article is:
<?xml version=”1.0″?>
<!DOCTYPE cross-domain-policy SYSTEM “http://www.adobe.com/xml/dtds/cross-domain-policy.dtd”>
<cross-domain-policy><!– This domain can accept a MyHeader header from a SWF file on www.example.com –>
<allow-http-request-headers-from domain=”www.example.com” headers=”MyHeader”/></cross-domain-policy>
Also, it is worth reiterating that the new header crossdomain syntax is required for both send and sendAndLoad network APIs. For network requests without additional headers, traditional crossdomain syntax and behavior continues.
This one bit Cartoon Network and Adult Swim for their video apps. I knew it would and should have tried to get a beta of the player to check to make sure. 5 minute fix though.
Does this mean a domain can explicity allow the use of the restricted headers like Authorization now?
Justen,
yes, authorization is allowed again
I was just curious, when does Adobe plan to update the Adobe Flash Player Security whitepaper?