6 Replies Latest reply on Nov 13, 2008 11:46 AM by skur75

    User agent and Referer

    alad_iim Level 1
      Hi all!

      I'm using some PHP-Scripts via HTTPService in my AIR-Application.
      At the moment the AIR-App sends - like a browser - information about user agent and referer, like:

      "app:/MyApp.swf" "Mozilla/5.0 (Windows; U; de-DE) AppleWebKit/523+ (KHTML, like Gecko) AdobeAIR/1.1"

      I'm planning to use these values in my PHP-Script to restrict the access to some scripts only to calls from AIR.

      How reliable are these information? Is it possible to deactivate or change these values on the client side?
      For example, in some browser you can deactivate the option to send a referer - is this possible in Air too?

      Sure, the other way round isn't very safe: a browser can imitate the referer and user agent and my script then thinks the client is an Air app. But it's a bit more security.

      Thanks a lot.
      Regards!
        • 1. Re: User agent and Referer
          Oliver Goldman Adobe Employee
          AIR applications can set the user agent string to any value. It has no security value whatsoever.

          • 2. Re: User agent and Referer
            alad_iim Level 1
            Hello!

            Thanks for your reply!

            If I unterstand you right, I can set the user agent in my Air Application to any special string. So if my Air app calls my php scripts and I check for the user agent string which I set in my Air app the final user who is using my Air app can't manipulate this?
            • 3. Re: User agent and Referer
              Oliver Goldman Adobe Employee
              No, the user can't set it. But nothing prevents another piece of software from adopting the same string you're using.

              • 4. Re: User agent and Referer
                alad_iim Level 1
                Sorry for pushing this thread again...

                But I didn't find any properties to set the User agent or Referer string.
                Where do I set it in an AIR Application?

                Thanks again!
                • 5. Re: User agent and Referer
                  enorton@adobe
                  Hi,

                  You can set the .userAgent property in 2 places:
                  1) URLRequestDefaults.userAgent (globally)
                  2) URLRequest (per request - overrides the global setting)

                  You can send headers using the URLRequest.requestHeaders property. This is an array of URLRequestHeader instances.

                  I hope this helps
                  -Erica

                  ps: you can look up more URLRequest properties (or details about the above) by using the appropriate Language Reference from our online docs: http://www.adobe.com/support/documentation/en/air/
                  • 6. User agent and Referer
                    skur75
                    I have a problem in that when I embed a certain swf on an Air html page, the http-referer that is sent by the Air runtime (or the underlying WebKit impl?) when requesting that swf is of the form app://mypage.html. The particular site serving the object/swf does not seem to like that referer pattern and sends me back an error swf rather than the object I requested.

                    I've been able to verify this by:
                    1) replaying the offending request in Firefox with the referer header as it would be sent from Air, which results in the same failed request (i.e. getting error.swf)
                    2) stripping the referer header altogether and replaying in Firefox in which case the intended swf is served to me

                    The site serving the request doesn't seem to be picky about what sites are linking to it based on referer (else a no referer header request would be rejected), it just doesn't seem to like the Air referer header that is being sent.

                    My question: Can I suppress/modify the referer header in the Air runtime? Or at least modify it? This is not an API constructed URL request but a resource request from an HTML object/embed, so I can't touch the headers explicitly while formulating the request. I'm assuming it would be a setting somewhere or a static var that could be set in the AIR API/runtime. If not, could this mod be requested?