It appears the April update of Flash Player’s security policies have some implications for Amazon’s web services. Per the release information, it appears that is is no longer sufficient to have a crossdomain.xml file that contains <allow-access-from domain="*"/>
:
In order for a SWF to send a header anywhere other than its own host, the origin domain of the SWF must have explicit permission from the host to which the header is being sent, in the form of a policy file. The existing policy file model will apply, with the same file locations and ActionScript APIs, but a new syntax will be required. To specify header-sending rights, use this new tag:
<allow-http-request-headers-from>
.
Without such an entry, whenever you use the WebService
tag in MXML to access an Amazon web service, you’ll get the “security error accessing url” message. I currently have this problem with the following use of WebService
tag:
wsdl="{'http://webservices.amazon.com/AWSECommerceService/AWSECommerceService.wsdl'}"
showBusyCursor="true"
fault="Alert.show(event.fault.faultString)"
load="startScanning(event);">
...
This code functioned without issue until I updated to Flash Player 9,0,124,0. I’ve started a thread on the Amazon Web Services Developer Connection, so hopefully someone at Amazon add the appropriate <allow-http-request-headers-from domain="*"/>
entry into the crossdomain.xml file at webservices.amazon.com to address this problem.
Hopefully this post saves some people a few hours of beating their heads against a wall. Unless I’m totally mistaken, and there’s a workaround that doesn’t involve using a proxy?