Sans Browser

Updated Flash Player 9.0.124.0 Security Gotcha

June 5th, 2008 by enefekt

Just got done spending my afternoon tracking this one down. Had a Flash app on one domain, calling some web services from another.

The crossdomain.xml policy file worked perfectly fine up until 9.0.124.0 (Which BTW gets automatically installed with the Mac OS 10.5.3 update), then stopped working.

Started getting the:

Request for resource at (url) by requestor from (url) is denied due to lack of policy file permissions.

Set up the policy logging, and found out the WSDLs were being loaded just fine, but everything failed when it came to actually calling a service.

Pored over the security article on Adobe’s site. Couldn’t find anything.
Finally ended up stumbling on this TechNote, which solved the problem for me.
After finding the problem, also saw the section in the Flash Player 9 Security PDF.

What was needed?

allow-http-request-headers-from

Needed to allow the SOAP headers.

Hopefully this might help someone else.

3 Comments

  1. barry.b Says:

    and so might this (for 9.0.124.0):

    http://kb.adobe.com/selfservice/viewContent.do?externalId=kb403030&sliceId=2

    “ActionScript error when an HTTP send action contains certain headers (Flash Player)”

    (dealing with reserved header names including “Authorization” if on 9.0.115)

  2. enefekt Says:

    Sweet, thanks.

  3. Mark Davies Says:

    You are a god.. thank you for sharing this!!

ok2