Alright - turns out we only need to whitelist Authorization. X headers aren't blacklisted by the player. We don't want to whitelist them all for security reasons. Updating the crossdomain.xml is being worked on currently.
Cheers, -Jeff On Tue, May 12, 2009 at 12:06 PM, Jeff Fisher <[email protected]>wrote: > Well, we would actually probably just whitelist all headers. > > Cheers, > -Jeff > > > On Mon, May 11, 2009 at 11:59 PM, Michal Gron <[email protected]>wrote: > >> Yes, true, but without correct crossdomain.xml file it's not possible >> - Flash Player throws Security sandbox violation error. >> I think something like this could be helpful: >> <allow-http-request-headers-from domain="*" secure="false" headers=" >> Authorization,X-Method-Override" /> >> >> Michal >> >> On Mon, May 11, 2009 at 11:00 PM, Jeff Fisher <[email protected]>wrote: >> >>> So noted. Might want to add your comments to the issue as well. Basically >>> you will be needing to use the X-Method-Override header to fake the POST >>> being a GET (basically you set the header to indicate what type of request >>> you WANT to make and the API will process it as that even though it received >>> it as something else.) >>> >>> Cheers, >>> -Jeff >>> >>> >>> On Mon, May 11, 2009 at 12:22 AM, michal.gron <[email protected]>wrote: >>> >>>> >>>> There is also a problem when accessing private entries from Flash >>>> Player authorized via AuthSub. >>>> Somehow you need to send the Authorization header from Flash Player >>>> (containing the AuthSub session token), and only possible way is to do >>>> it via POST request because Flash Player cannot send headers with GET >>>> request. >>>> >>>> And a POST request to PWA Data API meens creating something new, in >>>> this case (i think :) ) a new Album entry. >>>> >>>> It looks like, there is (yet) no way to read private PWA entries >>>> authorized via AuthSub because: >>>> 1. we need crossdomain.xml with <allow-http-request-headers-from >>>> domain="*" headers="Authorization"/> >>>> 2. we need to be able send POST requests to read the private entries >>>> >>>> Thanks for any informations/hints on this. >>>> >>>> Michal >>>> >>>> >>>> On 27. Mar., 20:56 h., Lee Evans <[email protected]> wrote: >>>> > Thanks for getting back to me... >>>> > >>>> > This has been filed, If anyone else needs this, please star >>>> > >>>> > http://code.google.com/p/gdata-issues/issues/detail?id=1122 >>>> > >>>> > Thanks. >>>> > >>>> > Lee >>>> > >>>> > Lee Evans >>>> > [email protected]<mailto:[email protected]> >>>> > >>>> > From: [email protected] [mailto: >>>> [email protected]] On Behalf Of Jeff Fisher >>>> > Sent: Friday, March 27, 2009 1:03 PM >>>> > To: [email protected] >>>> > Subject: [PWA API] Re: Sending Authorization Header from Flash/AS3 >>>> > >>>> > Hi, >>>> > >>>> > Sounds reasonable. Please file a feature request: >>>> > >>>> > http://code.google.com/p/gdata-issues/issues/entry >>>> > >>>> > Cheers, >>>> > -Jeff >>>> > >>>> > On Thu, Mar 26, 2009 at 12:26 PM, Lee <[email protected]<mailto: >>>> [email protected]>> wrote: >>>> > >>>> > Hello, >>>> > >>>> > I've been trying to authorize my Flash/AS3 Photo Viewer against Picasa >>>> > and I have no problems getting the Auth Token from ClientLogin >>>> athttps://www.google.com/accounts/ClientLogin >>>> > >>>> > However it seems that for me to send this auth token to >>>> > PicasaWebAlbums as part of an authorization header from AS3, >>>> thehttp://photos.googleapis.com/data/crossdomain.xmlfile at needs to >>>> > include... >>>> > >>>> > <allow-http-request-headers-from domain="*" headers="Authorization"/> >>>> > >>>> > (perhttp:// >>>> kb.adobe.com/selfservice/viewContent.do?externalId=kb403184 >>>> > ) >>>> > >>>> > I have no idea what the implications are of Google making this change, >>>> > but has any one else requested this and is this something that could >>>> > possibly be done so that the Picasa web albums that require a >>>> > authorization header can be accessed directly from Flash? >>>> > >>>> > I'm aware that I could also use a proxy to relay the authorization >>>> > header, but I'd rather keep the extra hop to my server out of the loop >>>> > if possible. >>>> > >>>> > Any info would be greatly appreciated. >>>> > >>>> > Thanks >>>> > >>>> > Lee Evans >>>> > [email protected]<mailto:[email protected]> >>>> >>>> >>> >>> >>> >> >> >> >> > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Picasa Web Albums API" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Picasa-Data-API?hl=en -~----------~----~----~----~------~----~------~--~---
