Copy link to clipboard
Copied
Hi,
We're using the HtmlLoader in our Flex project (AIR 2.7) for restricted browsing (some URLs are denied).
I'm testing in unrestricted mode and I'm having problems with some HTTP requests that are done with the Referer header set to "app://Main.sfw[[Dynamic]]/2" instead of the URL of the containing page. As the referer URL is wrong, I'm receiving "access denied" messages instead of the content I'm expecting (typically, SWF files).
I figured that the default referer was set to the app file. I've tried adding ResquestHeader("Referer",location) to the requestHeaders array and using an intermedite URLLoader to load the datas but nothing worked, the latter provoking javascript errors.
Is there any way I could change the referer before the request is sent? And why is it set to the default value instead of what it should be?
Here's an example of a website I'm having trouble with : http://www.nitrome.com/games/rubbletroubletokyo/
When you click the "Skip Ad" button, the referer is set to the app instead of "http://www.nitrome.com/games/rubbletroubletokyo/". By the way, the button is part of an SWF movie and my guess is that's the source of the problem. The HtmlLoader should, however, be able to handle those.
The secured browser is a really important feature in our app and I'd really appreciated any help on this.
Thanks!!
Message was edited by: kboilydev : corrected typos
Copy link to clipboard
Copied
Thanks for the post. Forwarded to our Webkit team for their review.
Chris
Copy link to clipboard
Copied
Here's what I've heard back:
Unfortunately, the HTTP Referer cannot be changed from AIR applications (I'm not sure that it can be changed from flex applications also). There might be a possibility with using a non-application sandbox but the user will have to modify his app.
Here are more details on this: Setting up a sandbox bridge interface
Thanks,
Chris
Copy link to clipboard
Copied
I'll take a look.
Shouldn't this be handled by the component itself? I'm sure I'm not the only one getting this problem, as pointed out by this suggestions on Adobe Labs Ideas : http://ideas.adobe.com/ct/ct_a_view_idea.bix?c=9D564F43-979A-4E35-AA21-85A61B6AB8DE&idea_id=CA6C107B...
Edit : I don't get it. How can creating another sandbox help me?
Message was edited by: kboilydev
Copy link to clipboard
Copied
The AIR runtime uses a sandbox based security model. This basically means that content loaded for example from the root of your AIR application can only load resources from the local sandbox while content loaded from a non-application sandbox (for example http://www.example.com) can load content only from that specific domain. More info on the AIR security model and how sandboxes work in AIR please read the following article - Introduction to the AIR security model.
The referral cannot be changed programatically in an AIR application but using a non-application sandbox that will load resources from the root of your application but which will behave as they were loaded from a custom domain (http://www.example.com) you could obtain the needed HTTP referral. More info on non-application sandboxes can be found at the following location - Cross-scripting content in different security sandboxes.
Let us know if this helped you,
--Catalin
Copy link to clipboard
Copied
We decided not to even try this solution as it's too time consuming and we're not even sure we'll get the expected results.
Why is the default value app:/foo.swf instead of sending no referer like any other browser? Most of the time, an invalid referer is worse than none at all and will cause invalidations by websites.
I understand what you are trying to tell me with the sandboxes solution, but as you can see, I don't really care about getting the real referer. I just want to set it empty.
Thanks
Copy link to clipboard
Copied
I'd like to recommend a couple of things, first please feel free to enter this request over at bugbase.adobe.com. Post back with the URL and let others know so they can add their votes and comments.
Second, go vote for this feature request over at ideas.adobe.com:
Don't set default referer in HTML header
This might seem redundant, but better to get this out there more places so any many people as possible can see the request.
Chris
Copy link to clipboard
Copied
I had already voted for the idea. I just added a bug for this https://bugbase.adobe.com/index.cfm?event=bug&id=2945647
Thanks