I have a small multiplayer Flash game in which you can display a player profile by clicking at his or her avatar:
const PROFILE_URL:String = 'http://myserver/user.php?id=';
try {
navigateToURL(new URLRequest(PROFILE_URL+id), '_blank');
} catch(e:Error) {
}
This works well, but now I'd like to extend the user.php, so that players can add comments about each other. For authorization I'd like to use HTTP cookies, passed from the game.swf to the user.php.
(I don't want use GET or POST here, because GET will have the auth. variables in the URL and players might occasionaly send that URL around or post it in my forum. And POST will ask to re-post the request when you reload).
My problem is that I can't find the way to set HTTP cookies through the navigateToURL() method. Please advise me
Regards,
Alex
You could first authenticate by logging in via a seperate call, for example login.php and that script would start a session. Then all other calls to the same domain would already have the session started and you could check authentication. No need to worry about cookies when PHP can do it for you.
Assuming that you already have the cookie value in your swf you should be able to use the URLRequestHeader together with the URLRequest as follows:
var header:URLRequestHeader = new URLRequestHeader("Cookie", "<the cookie>");
var request:URLRequest = new URLRequest("http://example.com/script.php");
request.requestHeader.push(header);
request.method = URLRequestMethod.POST;
navigateToURL(request, "_blank");
Under certain circumstances, the browser will send the cookie to the server if it has been already set even if you don't explicitly include it in the request. This depends on the browser and the version of the Flash Player. You might also need to adjust your crossdomain.xml file.
Also note that there might be security implications of passing around an unencrypted cookie token. See Firesheep.
Related
Let me introduce my problem step by step:
I was using a socket connection on the address www.mydomain.com:1925 to provide a chat service for my users. When I moved to cloudflare, I could not connect to port 1925 directly because of the fact that my requests were reaching my origin server over cloudflare and the port was changing.
How did I solve it?
I created a subdomain chat.mydomain.com whose DNS settings point to my origin server not cloudflare. I bypassed cloudflare by this way and I connected my chat service by using chat.mydomain.com:1925 on the browser. So far so good.
Here is the problem.
I am also using Flash and AS3. It is the core of my game on the site. Chat is working on html and my game in flash is in some part of my website. In flash, I was sending scores of players using again a socket connection on www.mydomain.com:1925 by a different namespace.(Since swf's host and url's host matched, I didn't have any problem I think).Since I have changed the domain to chat.mydomain.com:1925, Flash started to request a crossdomain.xml on chat.mydomain.com:1925. There is a crossdomain.xml file on chat.mydomain.com however I cannot serve it from chat.mydomain.com:1925. Here is my code:
Security.loadPolicyFile("https://chat.mydomain.com/crossdomain.xml");
var urlLoader:URLLoader = new URLLoader ();
var url:String = "https://chat.mydomain.com:1925/socket.io/1/";
var request:URLRequest = new URLRequest(url);
request.method = URLRequestMethod.POST;
urlLoader.dataFormat = URLLoaderDataFormat.TEXT;
urlLoader.addEventListener(Event.COMPLETE, completeHandler);
urlLoader.addEventListener(IOErrorEvent.IO_ERROR,ioErrorHandler);
urlLoader.load(request);
Since flash cannot find crossdomain.xml by getting 404, the requests in my code do not work. How can I solve this problem?
I have solved the problem. The URLRequest was trying to connect https://chat.example.com:1925/socket.io/1/. Since the swf was on the domain https://www.example.com, the swf was asking for https://chat.example.com:1925/crossdomain.xml. The port did not understand the https since it was used for my websocket. So I could not find any way to call this request in the swf. Then, I came up with an idea that I can call this url outside of the swf. Since I needed only handshakeid, I called this function via javascript. After getting the response, I loaded my swf by giving the handshakeid as an argument. That has solved my problem. For ones who need to call a function like this dynamically, they can use ExternalInterface calls. I hope it helps.
I'm developing a Flex mobile application and I'm using the Http Services within FlashBuilder (4.7) to send/receive data. I'm having some issues with how the server is setup to accept calls (from the mobile platform) and apparently setting the User-Agent in Android works just fine. But I can't seem to be able to find a way to set the User-Agent in FlashBuilder.
Any ideas?
Thanks
var request:URLRequest=new URLRequest('URL_OF_YOUR_SERVICE');
var userCredential:Object = new Object();
userCredential['user_email'] = 'YOUR_MAIL';
userCredential['user_password'] = 'YOUR_PASSWORD';
request.data=JSON.stringify(userCredential);// use this if your service accept json only else give Object directly
request.method = 'post';// specify here method GET or POST
var loader:URLLoader=new URLLoader();
loader.addEventListener(Event.COMPLETE, userLoginCompleteHandler);
loader.addEventListener(IOErrorEvent.IO_ERROR, onIOErrorHanlder);
try
{
loader.load(request);
}
catch(error:Error)
{
trace("Login Error:: "+ error.toString());
}
may this will help you, here i have defined userLoginCompleteHandler and onIOErrorHanlder event listner for result and fault.
No, you can't set the User-Agent header in Flex.
From this Adobe forums post:
Note again that since the underlying Flash API is flash.net.URLLoader there are certain headers that
you cannot send. For details, please see the docs for flash.net.URLRequestHeader.
The URLRequestHeader docs say:
In Flash Player and in Adobe AIR content outside of the application
security sandbox, the following request headers cannot be used:
... User-Agent, ...
I have a rssfeed application made in Adobe AIR. It uses the UrlLoader to read the feeds. I need the application to never prompt the user to enter password for a website or accept a certificate of a website if is no longer valid. I prefer to have it fail instead.
I have setup the event listeners for IO+Error and Security_ERROR but that is not enough
Sample urls(this may not work in future)
http://www.dawnanddrew.com/rss2.xml (asks for user and pass atm)
I had another issue with a feed that even if it was a http url the website redirected the loader to https and then the certificate validation failed and the user was asked to accept the certificate. I need this to fail (I mark failed feeds and the user can check them when they want to find the issue and fix them or remove them)
Using AIR (which you are), you can actually tell the application to NOT handle authentication.
var request:URLRequest =new URLRequest("http://www.dawnanddrew.com/rss2.xml");
request.authenticate = false; //default is true, so you need to tell your request to not handle authentication
Then it will fail with an IO error instead of prompting for credentials.
Documentation
Note however, this will only work in AIR and is not a supported property for flash player.
You cannot do it this way. Now, the server returns specific status and the browser reacts to it by showing you a login dialog box. You cannot do this directly in flash and you cannot get default login button. You need to implement this by your own. The perfect way to do so is to check (server side) if the user is logged in and if not - return status ok (200) with an error message (let's say JSON). This specific message would be read by the flash client and a login screen would be shown (custom made). You will also need to implement the login feature by yourself :)
Sorry for the bad news, but this is the way it is with flash.
I've recently started putting together a Facebook Connect AS3 app and retrieving objects and images through the Graph API.
Running anywhere but locally, I receive security errors of the form:
SecurityError: Error #2122: Security sandbox violation: Loader.content: xxxx cannot access http://photos-a.ak.fbcdn.net/xxxx.jpg
A policy file is required, but the checkPolicyFile flag was not set when this media was loaded.
If I add a line of the form:
Security.loadPolicyFile("ht_tp://photos-a.ak.fbcdn.net/crossdomain.xml");
-then I'm fine for that server, but it seems that there are any number of domains with the photos-[letter] format. I've added the one for each in the alphabet - which happily retrieves crossdomain files successfully - but it doesn't seem like a nice solution, and doesn't accommodate any new hosting setups Facebook may will implement in the future.
One thing I'd considered was retrieving the crossdomain policy file on a per image basis, capturing the domain from the image URL before making the image request. Unfortunately, at least via the Graph solution (and I haven't looked too closely at the others), their servers resolve the image url after the request is made, from something more generic like:
ht_tps://graph.facebook.com/[objectId]/picture?type=small&access_token=[accessToken]
Has anyone found a more dependable means of ensuring that images can be retrieved without security sandbox violations? Or do Facebook maintain a definitive list that developers need to keep an eye on?
Thanks!
Load the facebook crossdomains on the initial of your application as below;
Security.allowDomain("*");
Security.allowInsecureDomain("*");
Security.loadPolicyFile("http://graph.facebook.com/crossdomain.xml");
Security.loadPolicyFile("https://graph.facebook.com/crossdomain.xml");
Security.loadPolicyFile("http://profile.ak.fbcdn.net/crossdomain.xml");
Security.loadPolicyFile("https://profile.ak.fbcdn.net/crossdomain.xml");
Security.loadPolicyFile("http://profile.cc.fbcdn.net/crossdomain.xml");
Security.loadPolicyFile("https://profile.cc.fbcdn.net/crossdomain.xml");
Security.loadPolicyFile("http://fbcdn-profile-a.akamaihd.net/crossdomain.xml");
Security.loadPolicyFile("https://fbcdn-profile-a.akamaihd.net/crossdomain.xml");
Security.loadPolicyFile("http://fbcdn-sphotos-a.akamaihd.net/crossdomain.xml");
Security.loadPolicyFile("https://fbcdn-sphotos-a.akamaihd.net/crossdomain.xml");
and then whenever you want to load an image from facebook, set the checkPolicy flag to true using the Loader's LoaderContext as below;
var context:LoaderContext = new LoaderContext();
context.applicationDomain = ApplicationDomain.currentDomain;
context.checkPolicyFile = true;
var loader:Loader = new Loader();
loader.contentLoaderInfo.addEventListener(Event.COMPLETE, onLoadFacebookPhoto);
loader.load(new URLRequest(YOUR_FACEBOOK_PHOTO_URL),context);
private function onLoadFacebookPhoto(e:Event):void
{
addChild(Bitmap(LoaderInfo(e.target).content));
}
Ideally I would guess that you'd want Flash to get the policy file on its own, rather than triggering it with Security.loadPolicyFile. Have you tried simply setting the checkPolicyFile flag for your Loader's LoaderContext?
Alternately, I believe that when you use URLLoader instead of Loader, Flash will request a policy file automatically, so you could try that as well. The tricky thing is that if you use Loader, Flash will let you display what you've loaded even without a crossdomain policy, so it doesn't load one unless you tell it to. When you use URLLoader, the load itself is not allowed unless there's a policy file, so Flash gets it automatically.
I am trying to load an xml file from wikipedia into my flash movie.
loader = new URLLoader();
loader.addEventListener(Event.COMPLETE, tweetLoaded);
loader.load(new URLRequest("http://en.wikipedia.org/w/api.php?action=query&rvprop=content&format=xml&pageids="+subNum));
loader.addEventListener(IOErrorEvent.IO_ERROR, onIOErrorFunction);
This works fine when the flash file is run locally but when I upload to my domain it does not seem to work. I have read elsewhere that the cross domain rule does not apply to XML files only to images and other media. Is this true? If not is there a work around so that I can load in XML files from domains other than the one the swf is hosted on?
thanks
EDIT:
Okay I am really confused, my program queries both Bing API and the media wiki API. The Bing api call works fine, I can retrieve the XML search results back from it fine. But the wikipedia call does not work (online). I have tried listening for the Security_Error on the wikipedia call but it does not fire.
Does anyone have any ideas? Losing it a bit.
Thanks so much for you help. In the end i used http://pipes.yahoo.com
I created a pipe that took in an ID number then spat out a JSON object with the title of the corresponding wikipedia page.
which you can use here http://pipes.yahoo.com/wikibyid
For anyone else doing this you need to make sure you access the pipe from the yahoo api URL
http://pipes.yahooapis.com/
as this domain has the crossdomain.xml file.
A workaround is setting up a proxy with some server side language, so your swf loads data from your domain. This proxy forwards the request to the real host and returns the response to the swf. From the flash side, this works transparently.
You could make your proxy more or less sofisticated, but it could be as simple as (in php):
echo file_get_contents($_GET['target_url']);
This is just to give you an idea, you might want to validate the target_url parameter.
Have your swf call this php script and pass target_url as a parameter. Something like this:
var url:String = "proxy.php";
var paramVal:String = encodeURIComponent("http://en.wikipedia.org/w/api.php?action=query&rvprop=content&format=xml&pageids="+subNum);
url += "?target_url=" + paramVal;
loader.load(new URLRequest(url));
Note that for php this will require allowing fopen for urls (similar permissions might be neccesary for other server side technologies). Also, keep in mind this will affect your server bandwith consumption.
PS
Bing works because they have a crossdomain policy file in place to allow access to swfs from other domains.
http://api.bing.net/crossdomain.xml
Wikipedia doesn't have a crossdomain policy file that grants you access from other domains, so you cannot connect directly from your swf.