28 January 2008 ~ 11 Comments

The Sky is Falling! URLRequstHeader and Authorization

Technology

I posted about one of the new restrictions of Flash Player 9.0.115 over here on my blog. http://blog.simb.net/2008/01/17/urlrequestheader-in-as3-can-not-use-authorization-header/

In that post, I explain how the sky is falling and that we are no longer able to use the Authorization header with the URLRequestHeader object. In the post I incorrectly state that the problem does not exist in Flex and AIR, but only in AS3. But that based on the documentation, it should not work so I expect it to fail soon.

As it turns out the problem is limited to Flash Player and some contexts of AIR. So here is the run down. SWF applications that are created in any form that are intended to run in the browser, no longer have access to this header. So whether they are created with Flex 2, Flex 3, AS3 or Flash IDE. If its headed for the browser and your user has updated to Flash Player 9.0.115 this code will error. If your application is headed for the AIR platform, you are in better luck. Any content loaded into the Application security sandbox still has full access to all headers. Only content that is loaded into a secure sandbox will be restricted.

So did I over react to the problem? Maybe. Only because I could not imagine how a change that could affect so many applications, could slip through so quietly. This is one of the first times I can ever think that a release of the flash player has openly broken backwards compatibility. I understand the reasoning for it, but it is a bit of a blow to my flash platform unified runtime theory, just like in the browser, I now have code that can behave differently for separate users.

What does this mean? Well I have to get back to work on the Freshbooks API, and have the Freshbooks guys label it as an AIR library since it wont work in flash player.

Tags: ,

11 Responses to “The Sky is Falling! URLRequstHeader and Authorization”

  1. Kevin Deenanauth 9 February 2008 at 5:53 pm Permalink

    I am currently trying to fix our authentication for one of our applications and came across your post. I first heard of the problem from a single Mac user, and thought “that’s strange” – this week, no one can login.

    I completely agree that disallowing the authorization header was a very sneaky/dirty move by Adobe. There are many tutorials out there that tell you how to do it; all no longer valid. What the hell Adobe?

  2. Simeon 14 February 2008 at 8:33 am Permalink

    Yeah its a tough spot. From what I have gathered this is partially as a result of one of the “flash is insecure” claims by hackers. Because many of todays routers use basic auth, and not many people change the password, it was actually very easy to use flash to disable someone internet connection.

    Of course this is a security flaw in the routers, not flash player, but the action has been taken none the less.

    If you control both the client and the server you can work around this by changing the name of the header you use for authentication. As long as its not another word that is blocked, then you should be fine. i dont have any details on *how* to actually do that. It was just one of the work arounds proposed to me by Adobe.

  3. Nick 14 February 2008 at 8:36 pm Permalink

    So does this mean if we want to sign into twitter with as3 and tweet from a flex app it is no longer possible using the library ? that’s harsh…

  4. Simeon 14 February 2008 at 9:38 pm Permalink

    Hey Nick,

    That is exactly what that means. Now its only a matter of time before twitter finishes upgrading its authentication scheme (there are several under consideration) but for now http basic auth is a no go.

  5. Brooks 15 March 2008 at 6:35 am Permalink

    Hey Simeon,

    You mention that Authorization can be set in AIR apps. However, I’m attempting to do this in an AIR app working with GData and still getting ArgumentError #2096.

    Any insights? I would of thought AIR would allow balls to the wall manipulation of the headers, but it seems to be crippled as well.

  6. Danno 15 March 2008 at 12:44 pm Permalink

    Hey Simeon

    Like Brooks, I’m running an AIR app (that worked in Beta 3 or the Flash player of that era anyway) and now it suffers that same error. I’m using httpservice to login to google calendar, then parsing the session key and using for Authorization header in subsequent interactions on my calendar (this is the approach Google mandates).

    In AIR, with POST…and I’m toast. This would limit me from doing any kind of intelligent interaction with web apis requiring authentication because the entire session requires the session key in the header.

    As far as my philosophy on security, if you want to provide an application of any kind, for any platform of any power or value, you need to establish trust with the originator of the application. You’ll never microcontrol application providers and still have them provide anything of value.

  7. Simeon 17 March 2008 at 6:25 am Permalink

    Hey Brooks and Danno. I am not sure what to say, I have AIR applications that are connecting using this header in the 1.0 release. The documentation says that its not restricted in AIR.

    All of that aside, Adobe released a technical document last week that outlines their path to returning the Authorization header to flash player use as well. There will be another update to Flash Player in April that with a little modification to server communication, will allow you to send the Authorization header again. So they recognize that this was an issue for many people.

    The only information I have for your delima was that I am actually using the URLLoader class not the HTTPService. So you might run a test with that and see if they are restricting the header on httpservice.

  8. Kamil 18 March 2008 at 6:18 am Permalink

    Simeon,

    Do you have a link to the Adobe technical document you mention that outlines a path back to allowing the Authorization header?

  9. Simeon 18 March 2008 at 7:04 am Permalink

    I have written yet another update on this thread here including all the information and links that can help people get Authorization headers back.

    http://blog.simb.net/?p=1696

  10. Lance 25 April 2008 at 9:12 am Permalink

    Simeon,

    I have been trying to get AIR to work with GData ClientLogin with no luck using both URLLoader or HTTPService.

    No matter what I try I always get this error: Error #2096: The HTTP request header DQAAA……..pYVA3MvmOksKg
    cannot be set via ActionScript.

    You mentioned that you have GData services working in Adobe AIR. Could you please provide some example code that works?

    My understanding is that you can’t

  11. david 31 December 2009 at 6:15 pm Permalink

    I realize this is an old thread…but I cannot get this to work upon trying for the first time today. What’s the latest on this? I’ve spent a full day researching and experimenting. Thanks.


Leave a Reply

PHVsPjxsaT48c3Ryb25nPndvb19hYm91dDwvc3Ryb25nPiAtIEhpISBNeSBuYW1lIGlzIFNpbWVvbiBCYXRlbWFuIGFuZCBJIGFtIGEgd2ViIGFwcGxpY2F0aW9uIGRldmVsb3BlciBzcGVjaWFsaXppbmcgaW4gdGhlIEFkb2JlIEZsYXNoIFBsYXRmb3JtLiAgSSBhbSBhbiBBZG9iZSBDb21tdW5pdHkgRXhwZXJ0IGFuZCBhbiBBZG9iZSBDZXJ0aWZpZWQgVHJhaW5lciBmb3IgRmxleCBhbmQgQUlSLiAgSSBhbSBhbHNvIHRoZSBQcmluY2lwbGUgSW5zdGlnYXRvciBmb3IgUE5XIFJhaW4gTExDIGFuIFJJQSBjb25zdWx0aW5nIGFuZCBtZW50b3JpbmcgY29tcGFueS48L2xpPjxsaT48c3Ryb25nPndvb19hZHNfcm90YXRlPC9zdHJvbmc+IC0gdHJ1ZTwvbGk+PGxpPjxzdHJvbmc+d29vX2FkX2ltYWdlXzE8L3N0cm9uZz4gLSBodHRwOi8vd3d3Lndvb3RoZW1lcy5jb20vYWRzL3dvb3RoZW1lcy0xMjV4MTI1LTEuZ2lmPC9saT48bGk+PHN0cm9uZz53b29fYWRfaW1hZ2VfMjwvc3Ryb25nPiAtIGh0dHA6Ly93d3cud29vdGhlbWVzLmNvbS9hZHMvd29vdGhlbWVzLTEyNXgxMjUtMi5naWY8L2xpPjxsaT48c3Ryb25nPndvb19hZF9pbWFnZV8zPC9zdHJvbmc+IC0gaHR0cDovL3d3dy53b290aGVtZXMuY29tL2Fkcy93b290aGVtZXMtMTI1eDEyNS0zLmdpZjwvbGk+PGxpPjxzdHJvbmc+d29vX2FkX2ltYWdlXzQ8L3N0cm9uZz4gLSBodHRwOi8vd3d3Lndvb3RoZW1lcy5jb20vYWRzL3dvb3RoZW1lcy0xMjV4MTI1LTQuZ2lmPC9saT48bGk+PHN0cm9uZz53b29fYWRfdG9wPC9zdHJvbmc+IC0gZmFsc2U8L2xpPjxsaT48c3Ryb25nPndvb19hZF90b3BfYWRzZW5zZTwvc3Ryb25nPiAtIDwvbGk+PGxpPjxzdHJvbmc+d29vX2FkX3RvcF9pbWFnZTwvc3Ryb25nPiAtIGh0dHA6Ly93d3cud29vdGhlbWVzLmNvbS9hZHMvd29vdGhlbWVzLTQ2OHg2MC0yLmdpZjwvbGk+PGxpPjxzdHJvbmc+d29vX2FkX3RvcF91cmw8L3N0cm9uZz4gLSBodHRwOi8vd3d3Lndvb3RoZW1lcy5jb208L2xpPjxsaT48c3Ryb25nPndvb19hZF91cmxfMTwvc3Ryb25nPiAtIGh0dHA6Ly93d3cud29vdGhlbWVzLmNvbTwvbGk+PGxpPjxzdHJvbmc+d29vX2FkX3VybF8yPC9zdHJvbmc+IC0gaHR0cDovL3d3dy53b290aGVtZXMuY29tPC9saT48bGk+PHN0cm9uZz53b29fYWRfdXJsXzM8L3N0cm9uZz4gLSBodHRwOi8vd3d3Lndvb3RoZW1lcy5jb208L2xpPjxsaT48c3Ryb25nPndvb19hZF91cmxfNDwvc3Ryb25nPiAtIGh0dHA6Ly93d3cud29vdGhlbWVzLmNvbTwvbGk+PGxpPjxzdHJvbmc+d29vX2FsdF9zdHlsZXNoZWV0PC9zdHJvbmc+IC0ga2hha2kuY3NzPC9saT48bGk+PHN0cm9uZz53b29fYXV0b19pbWc8L3N0cm9uZz4gLSBmYWxzZTwvbGk+PGxpPjxzdHJvbmc+d29vX2NhdF9tZW51PC9zdHJvbmc+IC0gZmFsc2U8L2xpPjxsaT48c3Ryb25nPndvb19jb250ZW50X2FyY2hpdmVzPC9zdHJvbmc+IC0gZmFsc2U8L2xpPjxsaT48c3Ryb25nPndvb19jb250ZW50X2hvbWU8L3N0cm9uZz4gLSBmYWxzZTwvbGk+PGxpPjxzdHJvbmc+d29vX2N1c3RvbV9jc3M8L3N0cm9uZz4gLSA8L2xpPjxsaT48c3Ryb25nPndvb19jdXN0b21fZmF2aWNvbjwvc3Ryb25nPiAtIDwvbGk+PGxpPjxzdHJvbmc+d29vX2ZhY2Vib29rPC9zdHJvbmc+IC0gc2ltYmF0ZW1hbjwvbGk+PGxpPjxzdHJvbmc+d29vX2ZlZWRidXJuZXJfdXJsPC9zdHJvbmc+IC0gPC9saT48bGk+PHN0cm9uZz53b29fZm9vdF9jYXRfbWVudTwvc3Ryb25nPiAtIGZhbHNlPC9saT48bGk+PHN0cm9uZz53b29fZm9vdF9uYXZfZXhjbHVkZTwvc3Ryb25nPiAtIDwvbGk+PGxpPjxzdHJvbmc+d29vX2dvb2dsZV9hbmFseXRpY3M8L3N0cm9uZz4gLSA8c2NyaXB0IHR5cGU9XCJ0ZXh0L2phdmFzY3JpcHRcIj4NCnZhciBnYUpzSG9zdCA9ICgoXCJodHRwczpcIiA9PSBkb2N1bWVudC5sb2NhdGlvbi5wcm90b2NvbCkgPyBcImh0dHBzOi8vc3NsLlwiIDogXCJodHRwOi8vd3d3LlwiKTsNCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKFwiJTNDc2NyaXB0IHNyYz1cJ1wiICsgZ2FKc0hvc3QgKyBcImdvb2dsZS1hbmFseXRpY3MuY29tL2dhLmpzXCcgdHlwZT1cJ3RleHQvamF2YXNjcmlwdFwnJTNFJTNDL3NjcmlwdCUzRVwiKSk7DQo8L3NjcmlwdD4NCjxzY3JpcHQgdHlwZT1cInRleHQvamF2YXNjcmlwdFwiPg0KdHJ5IHsNCnZhciBwYWdlVHJhY2tlciA9IF9nYXQuX2dldFRyYWNrZXIoXCJVQS0xMTE1MDU2LTRcIik7DQpwYWdlVHJhY2tlci5fdHJhY2tQYWdldmlldygpOw0KfSBjYXRjaChlcnIpIHt9PC9zY3JpcHQ+DQo8L2xpPjxsaT48c3Ryb25nPndvb19sb2dvPC9zdHJvbmc+IC0gL2Fzc2V0cy9pbWFnZXMvYmVjYXVzZUlTYWlkU28ucG5nPC9saT48bGk+PHN0cm9uZz53b29fbWFudWFsPC9zdHJvbmc+IC0gaHR0cDovL3d3dy53b290aGVtZXMuY29tL3N1cHBvcnQvdGhlbWUtZG9jdW1lbnRhdGlvbi9tYWluc3RyZWFtPC9saT48bGk+PHN0cm9uZz53b29fbmF2X2V4Y2x1ZGU8L3N0cm9uZz4gLSA8L2xpPjxsaT48c3Ryb25nPndvb19wcm9maWxlPC9zdHJvbmc+IC0gaHR0cDovL2kzLnl0aW1nLmNvbS92aS9yOWFkaU1OWjRGNC9kZWZhdWx0LmpwZzwvbGk+PGxpPjxzdHJvbmc+d29vX3Jlc2l6ZTwvc3Ryb25nPiAtIHRydWU8L2xpPjxsaT48c3Ryb25nPndvb19zaG9ydG5hbWU8L3N0cm9uZz4gLSB3b288L2xpPjxsaT48c3Ryb25nPndvb190aGVtZW5hbWU8L3N0cm9uZz4gLSBNYWluc3RyZWFtPC9saT48bGk+PHN0cm9uZz53b29fdGh1bWJfaGVpZ2h0PC9zdHJvbmc+IC0gMTAwPC9saT48bGk+PHN0cm9uZz53b29fdGh1bWJfd2lkdGg8L3N0cm9uZz4gLSAxMDA8L2xpPjxsaT48c3Ryb25nPndvb190d2l0dGVyPC9zdHJvbmc+IC0gc2ltYmF0ZW1hbjwvbGk+PC91bD4=