Allowing Headers in crossdomain.xml
If you send headers to a domain that does not match the domain where the SWF is hosted, you need update your crossdomain.xml file to allow them to continue to work with Flash Player 9.0.124.0. While this is discussed in the ADC pre-announcement, it could use a bit more detail. Flash Player support wrote a great technote on details of how to set up <allow-http-request-headers-from>.
http://kb.adobe.com/selfservice/viewContent.do?externalId=kb403185
One of the examples from the article is:
<?xml version=”1.0″?>
<!DOCTYPE cross-domain-policy SYSTEM “http://www.adobe.com/xml/dtds/cross-domain-policy.dtd”>
<cross-domain-policy><!– This domain can accept a MyHeader header from a SWF file on www.example.com –>
<allow-http-request-headers-from domain=”www.example.com” headers=”MyHeader”/></cross-domain-policy>
Also, it is worth reiterating that the new header crossdomain syntax is required for both send and sendAndLoad network APIs. For network requests without additional headers, traditional crossdomain syntax and behavior continues.
Digg this!
April 10th, 2008 at 9:44 pm
This one bit Cartoon Network and Adult Swim for their video apps. I knew it would and should have tried to get a beta of the player to check to make sure. 5 minute fix though.
April 11th, 2008 at 8:40 am
Does this mean a domain can explicity allow the use of the restricted headers like Authorization now?
April 11th, 2008 at 10:27 am
Justen,
yes, authorization is allowed again
April 14th, 2008 at 12:31 pm
I was just curious, when does Adobe plan to update the Adobe Flash Player Security whitepaper?