Hi, with the "X-HTTP-Method-Override: GET" header i get:
Fault: Error #2170: Security sandbox violation: http://www.prasa.sk/authsub/index.swf cannot send HTTP headers to http://photos.googleapis.com/data/feed/api/user/default?access=private. and the flashlog.txt says: Error: Request for resource at http://photos.googleapis.com/data/feed/api/user/default?access=private by requestor from http://www.prasa.sk/authsub/index.swf is denied due to lack of policy file permissions. *** Security Sandbox Violation *** Connection to http://photos.googleapis.com/data/feed/api/user/default?access=privatehalted - not permitted from http://www.prasa.sk/authsub/index.swf Looks like the X- header doesn't work.. Thanks Michal On Wed, May 20, 2009 at 8:33 PM, Jeff Fisher <[email protected]> wrote: > Alright - turns out we only need to whitelist Authorization. X headers > aren't blacklisted by the player. We don't want to whitelist them all for > security reasons. Updating the crossdomain.xml is being worked on currently. > > Cheers, > -Jeff > > > On Tue, May 12, 2009 at 12:06 PM, Jeff Fisher <[email protected]>wrote: > >> Well, we would actually probably just whitelist all headers. >> >> Cheers, >> -Jeff >> >> >> On Mon, May 11, 2009 at 11:59 PM, Michal Gron <[email protected]>wrote: >> >>> Yes, true, but without correct crossdomain.xml file it's not possible >>> - Flash Player throws Security sandbox violation error. >>> I think something like this could be helpful: >>> <allow-http-request-headers-from domain="*" secure="false" headers=" >>> Authorization,X-Method-Override" /> >>> >>> Michal >>> >>> On Mon, May 11, 2009 at 11:00 PM, Jeff Fisher >>> <[email protected]>wrote: >>> >>>> So noted. Might want to add your comments to the issue as well. >>>> Basically you will be needing to use the X-Method-Override header to fake >>>> the POST being a GET (basically you set the header to indicate what type of >>>> request you WANT to make and the API will process it as that even though it >>>> received it as something else.) >>>> >>>> Cheers, >>>> -Jeff >>>> >>>> >>>> On Mon, May 11, 2009 at 12:22 AM, michal.gron <[email protected]>wrote: >>>> >>>>> >>>>> There is also a problem when accessing private entries from Flash >>>>> Player authorized via AuthSub. >>>>> Somehow you need to send the Authorization header from Flash Player >>>>> (containing the AuthSub session token), and only possible way is to do >>>>> it via POST request because Flash Player cannot send headers with GET >>>>> request. >>>>> >>>>> And a POST request to PWA Data API meens creating something new, in >>>>> this case (i think :) ) a new Album entry. >>>>> >>>>> It looks like, there is (yet) no way to read private PWA entries >>>>> authorized via AuthSub because: >>>>> 1. we need crossdomain.xml with <allow-http-request-headers-from >>>>> domain="*" headers="Authorization"/> >>>>> 2. we need to be able send POST requests to read the private entries >>>>> >>>>> Thanks for any informations/hints on this. >>>>> >>>>> Michal >>>>> >>>>> >>>>> On 27. Mar., 20:56 h., Lee Evans <[email protected]> wrote: >>>>> > Thanks for getting back to me... >>>>> > >>>>> > This has been filed, If anyone else needs this, please star >>>>> > >>>>> > http://code.google.com/p/gdata-issues/issues/detail?id=1122 >>>>> > >>>>> > Thanks. >>>>> > >>>>> > Lee >>>>> > >>>>> > Lee Evans >>>>> > [email protected]<mailto:[email protected]> >>>>> > >>>>> > From: [email protected] [mailto: >>>>> [email protected]] On Behalf Of Jeff Fisher >>>>> > Sent: Friday, March 27, 2009 1:03 PM >>>>> > To: [email protected] >>>>> > Subject: [PWA API] Re: Sending Authorization Header from Flash/AS3 >>>>> > >>>>> > Hi, >>>>> > >>>>> > Sounds reasonable. Please file a feature request: >>>>> > >>>>> > http://code.google.com/p/gdata-issues/issues/entry >>>>> > >>>>> > Cheers, >>>>> > -Jeff >>>>> > >>>>> > On Thu, Mar 26, 2009 at 12:26 PM, Lee <[email protected]<mailto: >>>>> [email protected]>> wrote: >>>>> > >>>>> > Hello, >>>>> > >>>>> > I've been trying to authorize my Flash/AS3 Photo Viewer against >>>>> Picasa >>>>> > and I have no problems getting the Auth Token from ClientLogin >>>>> athttps://www.google.com/accounts/ClientLogin >>>>> > >>>>> > However it seems that for me to send this auth token to >>>>> > PicasaWebAlbums as part of an authorization header from AS3, >>>>> thehttp://photos.googleapis.com/data/crossdomain.xmlfile at needs to >>>>> > include... >>>>> > >>>>> > <allow-http-request-headers-from domain="*" headers="Authorization"/> >>>>> > >>>>> > (perhttp:// >>>>> kb.adobe.com/selfservice/viewContent.do?externalId=kb403184 >>>>> > ) >>>>> > >>>>> > I have no idea what the implications are of Google making this >>>>> change, >>>>> > but has any one else requested this and is this something that could >>>>> > possibly be done so that the Picasa web albums that require a >>>>> > authorization header can be accessed directly from Flash? >>>>> > >>>>> > I'm aware that I could also use a proxy to relay the authorization >>>>> > header, but I'd rather keep the extra hop to my server out of the >>>>> loop >>>>> > if possible. >>>>> > >>>>> > Any info would be greatly appreciated. >>>>> > >>>>> > Thanks >>>>> > >>>>> > Lee Evans >>>>> > [email protected]<mailto:[email protected]> >>>>> >>>>> >>>> >>>> >>>> >>> >>> >>> >> > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Picasa Web Albums API" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Picasa-Data-API?hl=en -~----------~----~----~----~------~----~------~--~---
