Hi, HTTPService on the AS side supports this security feature via cross domain policies built into the Flash Player. CORS is a little more complex and sometimes requires both client and server configuration rather than just mostly server side as AS security does. I think users of FlexJS would want us to support security features for both JS and AS right? Currently JS security in HTTPService is IMO a little broken.
It often said that security is not an optional feature at Apache. It seems you are asking me to make it an optional feature? Anyway just so other people know what the change was. I added this JS only method to HTTPService: COMPILE::JS public function set withCredentials(value:Boolean):void { var element:XMLHttpRequest = this.element as XMLHttpRequest; element.withCredentials = value; } This line of code is required to support a common scenario i.e. calling a API on a different server from the domain the original page was served from. It’s JS only and has zero performance or size impact on the AS side so as far as I can see there no PAYG implications. Not having it may force a user to disable security to get their application to work. If is not set then cookies and/or user credentials are not passed on with requests which stop most forms of user authentication from working. I did consider turning it on by default for all requests and adding that one line of code to the send method but they may be some cases where users do not want it. Thanks, Justin