Login for more options
[Platform_Windows]Default HTTP request referrer (referer header field) app://[app_name].swf causes denied access by some websites
The default HTTP request referrer (referer header field) app://[app_name].swf is non standard and should simply be empty. A wrong referrer can cause a website to deny access when site is relying on referrer for validations.
Steps to Reproduce:
Using an HTMLLoader object, set location to http://www.nitrome.com
An HTTP request for a swf file is sent with app://[app_name].swf as referrer (see actualRequest.jpg). The page is displayed without the central flash animation (see attachment actualResult.jpg). Using Charles Proxy, we can inspect request/response and see the server returned 403 Forbidden, with an HTTP page containing "Access Denied" (see screenshot actualResponse1.jpg and actualResponse2.jpg)
The HTTP request is sent with http:www.nitrome.com as referrer or with no referrer at all, as all other web browsers do (see expectedRequest). The page would be displayed normally and the server would send the file correctly. (see attachment expectedResult.jpg). See expectedResponse1.jpg and expectedResponse2.jpg for response details.
Referrers can't be changed in HTMLLoader requests. The only workaround is to use a proxy (tested with Charles Proxy) to intercept the message before it's sent and remove the referrer before actually sending it. With this method, page loads correctly in AIR app. However, it's not a viable solution for any project..
Add a mx:HTML component to an empty Flex project and set htmlLoader.location = "http://www.nitrome.com"
|Platform(s)||Win XP All|
|Found In Build||2.7.1|
|Fixed In Build|
7:56:27 AM GMT+00:00 Mar 20, 2013
This is needed to build an unrestricted embedded browser for a client's application.
10:01:57 AM GMT+00:00 Oct 9, 2012
I started building a simple web browser for a client when I ran into this and got pretty disappointed. First thing for an HTML component would be to be able to open any page.
2:49:34 PM GMT+00:00 Sep 3, 2012
Yeah this is bad juju. Should be blank, or settable. Better yet, should be able to define an initial urlrequest for the location.
7:41:02 AM GMT+00:00 Oct 31, 2011
It allows a false implementation of the HTTP spec: The Referer should be set to the resource of which the Request-URI is obtained. This isn't necessarily the application itself, but could be an API address as well. Or perhaps a user input in which case the Referer should be empty.
1:42:08 AM GMT+00:00 Sep 9, 2011
6:54:44 AM GMT+00:00 Aug 18, 2011
This prevent the use of htmlloader to create a fully complient web-browser with AIR.