I need help,
We developed a html browser based on "Adobe air" to run flex application(SWF) and replace normal browsers (IE, chrome, ..).
It works perfectly, it runs web application based on Flex, but we have in our application a link that opens a servlet which opens in an external browser(or tab for IE, chrome,..) , in adobe air so we loses the session and we cannot access to servelet.
I have already tried puting the headers that contain the session ID in the URLRequest, but it shows me an error with the navigateToURL (request) method:
SecurityError: Error #3769: Security sandbox violation: Only simple headers can be used with navigateToUrl() or sendToUrl().
request.requestHeaders.push(new URLRequestHeader("SESSIONID", sessionId));
request.requestHeaders.push(new URLRequestHeader("JSESSIONID", sessionId));
request.requestHeaders.push(new URLRequestHeader("Set-Cookie", "JSESSIONID="+ sessionId));
request.method = URLRequestMethod.POST;
var loader:URLLoader = new URLLoader();
navigateToURL(request); //--> produce an exception
Is there any solution? workarround?
Thanks in advance,
Copy link to clipboard
There are a bunch of cross-site scripting considerations that play into how and why we limit setting various headers when emitting requests from Flash/AIR. I can't think of a good way to hand off session tokens to an external process as cookies.
You're going to need a little service on the appropriate domain to facilitate the redirection. You'll have to think about how to best secure it, but I think the general shape of it might be a service where you pass the tokens from the AIR client to the server, it returns a corresponding token to retrieve them, you pass that to the external browser via navigateToURL, the client browser makes that request, and your service returns a redirect request to your applet with the appropriate headers set. You could enhance security by do some handshaking where the server gives you a one-time salt to hash your tokens with before passing them, etc. Once retrieved, you should drop the record with the tokens so that they can't be reused.