Adobe AIR 2.x  -  Bug 2945647

Created on Thursday, August 18, 2011

Login for more options

Title

[Platform_Windows]Default HTTP request referrer (referer header field) app://[app_name].swf causes denied access by some websites

Description

Problem Description:
The default HTTP request referrer (referer header field) app://[app_name].swf is non standard and should simply be empty. A wrong referrer can cause a website to deny access when site is relying on referrer for validations.

Steps to Reproduce:
Using an HTMLLoader object, set location to http://www.nitrome.com

Actual Result:
An HTTP request for a swf file is sent with app://[app_name].swf as referrer (see actualRequest.jpg). The page is displayed without the central flash animation (see attachment actualResult.jpg). Using Charles Proxy, we can inspect request/response and see the server returned 403 Forbidden, with an HTTP page containing "Access Denied" (see screenshot actualResponse1.jpg and actualResponse2.jpg)

Expected Result:
The HTTP request is sent with http:www.nitrome.com as referrer or with no referrer at all, as all other web browsers do (see expectedRequest). The page would be displayed normally and the server would send the file correctly. (see attachment expectedResult.jpg). See expectedResponse1.jpg and expectedResponse2.jpg for response details.

Any Workarounds:
Referrers can't be changed in HTMLLoader requests. The only workaround is to use a proxy (tested with Charles Proxy) to intercept the message before it's sent and remove the referrer before actually sending it. With this method, page loads correctly in AIR app. However, it's not a viable solution for any project..
..

Test Configuration

Add a mx:HTML component to an empty Flex project and set htmlLoader.location = "http://www.nitrome.com"

App Language(s) French
OS Language(s) French
Platform(s) Win XP All
Browser(s)

Notes (4)

  • mitzoer

    11:45:48 AM GMT+00:00 Jun 1, 2013

    Appreciated for giving us this information. Please kindly inform me what the best thing to do with this bug. Thank you

  • Yang Liu

    12:01:04 AM GMT+00:00 Sep 14, 2011

    Thanks for your reporting. We could reproduce your issue. We appreciate that anyone affected by this issue could leave vote notes about how it impacts you.

    Thanks!

  • kboilydev

    6:51:25 AM GMT+00:00 Aug 18, 2011

    Related post on Adobe Labs Ideas : http://ideas.adobe.com/ct/ct_a_view_idea.bix?c=9D564F43-979A-4E35-AA21-85A61B6AB8DE&idea_id=CA6C107B-CE93-4DAF-82EA-503C4DB2B1F8

  • kboilydev

    6:04:12 AM GMT+00:00 Aug 18, 2011

    Attachment "referrer screenshots.zip" contains jpeg screenshots of the actual and expected results.

    In test case, request is sent from an iframe, which can explain why the referrer sent is not http://www.nitrome.com when sent from the app. On this page, Internet Explorer does send a referrer, however. It's not necessary, a blank referrer would do just fine.

Duplicate ID
Reported By kboilydev

Status

State Open
Status ToTrack
Reason

Importance

Priority 3-High
Frequency Some users will encounter
Failure Type Incorrectly Functioning
Product Area Networking

Build

Found In Build 2.7.1
Fixed In Build

Attachments (1)

Votes (6)

  • warpug

    7:56:27 AM GMT+00:00 Mar 20, 2013

    This is needed to build an unrestricted embedded browser for a client's application.

  • Tihomir Leka

    10:01:57 AM GMT+00:00 Oct 9, 2012

    I started building a simple web browser for a client when I ran into this and got pretty disappointed. First thing for an HTML component would be to be able to open any page.

  • Daniel Hai

    2:49:34 PM GMT+00:00 Sep 3, 2012

    Yeah this is bad juju. Should be blank, or settable. Better yet, should be able to define an initial urlrequest for the location.

  • Walter Treur

    7:41:02 AM GMT+00:00 Oct 31, 2011

    It allows a false implementation of the HTTP spec: The Referer should be set to the resource of which the Request-URI is obtained. This isn't necessarily the application itself, but could be an API address as well. Or perhaps a user input in which case the Referer should be empty.

    http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.36

  • isgdm

    1:42:08 AM GMT+00:00 Sep 9, 2011

    就这个,就把webkit彻底废了。怎么回事,好好的webkit到了adobe手里就搞成废品了。

  • Idden-0o

    6:54:44 AM GMT+00:00 Aug 18, 2011

    This prevent the use of htmlloader to create a fully complient web-browser with AIR.

Your session has expired! Click to login
Current form data will be preserved

Cancel