Adobe recently rolled out a patch to Flash Player 9 to mitigate some bad security vulnerabilities (my favorite Flash vulnerability was hilariously described at Matasano Chargen). One of our Flash apps at work suffered collateral damage from the update.
If you get the message “Security error accessing url” after applying the April 8 Flash Player update, then it’s likely the app is doing something covered in this article covering potential compatibility issues with the update. Our app was affected because it accesses a web service running on another server.
When the Flash Player accesses data from another domain on behalf of a Flash app, it first looks for a crossdomain.xml file in the root directory of the domain that is being accessed. For example, on my site it would try to retrieve wombatnation.com/crossdomain.xml. This file contains access policies that the Flash Player will apply. If you want to allow any Flash app to access a web service on your site, you can go with the Come and Get It policy file:
<!DOCTYPE cross-domain-policy SYSTEM
<allow-access-from domain="*" />
If you need to allow access to only a small set of domains, you should replace the * wildcard with something more specific. You can use a * to pick up all sub-domains, though, for example, *.wombatnation.com would allow access to my local botnet herd.
One of the vulnerabilities Adobe is attempting to mitigate in this patch is the ability of a Flash app to send malicious HTTP headers to a remote service. The updated Flash Player lets an app send only the standard HTTP headers. If you want to send additional headers, the remote server must include additional policies. Unless, of course, your header of choice is already on the blacklist for fighting in bars, spitting on sidewalks or p0wning servers.
Since the SOAPAction header that is used with SOAP based web services is not a standard HTTP header, your Flash app will display the “Security error accessing url” message unless the remote server’s crossdomain.xml is updated. The quickest fix is to add the following line:
<allow-http-request-headers-from domain="*" headers="SOAPAction"/>
to the cross-domain-policy section. If you specified a more limited set of domains in the allow-access-from policy, you should probably use the same set of domains in this policy. This Adobe TechNote explains the details.
I tried to figure out what was going on with Firebug, but Flash apps are pretty much black boxes to me unless you’re debugging them with Flex Builder or whatever tool was used to build them. Flash is a pretty useful technology for quickly building apps, but there are so many drawbacks that I seriously doubt I would ever choose it as my preferred tool for building web apps.