Hi,
HTTPService on the AS side supports this security feature via cross domain
policies built into the Flash Player. CORS is a little more complex and
sometimes requires both client and server configuration rather than just mostly
server side as AS security does. I think users of FlexJS would want us to
support security features for both JS and AS right? Currently JS security in
HTTPService is IMO a little broken.
It often said that security is not an optional feature at Apache. It seems you
are asking me to make it an optional feature?
Anyway just so other people know what the change was. I added this JS only
method to HTTPService:
COMPILE::JS
public function set withCredentials(value:Boolean):void {
var element:XMLHttpRequest = this.element as XMLHttpRequest;
element.withCredentials = value;
}
This line of code is required to support a common scenario i.e. calling a API
on a different server from the domain the original page was served from. It’s
JS only and has zero performance or size impact on the AS side so as far as I
can see there no PAYG implications. Not having it may force a user to disable
security to get their application to work. If is not set then cookies and/or
user credentials are not passed on with requests which stop most forms of user
authentication from working.
I did consider turning it on by default for all requests and adding that one
line of code to the send method but they may be some cases where users do not
want it.
Thanks,
Justin
