NavigateToURL and custom header change

First, we apologize for the inconvenience the change to navigateToURL has caused you and your customers.  We typically do everything possible to keep existing content working but in this case we had no choice to make these changes given the security implications.
This change was necessary to fix a security vulnerability (CVE-2014-0516) related to Flash Player’s handling of custom request headers that could be abused to violate the cross domain security policy (reference http://helpx.adobe.com/security/products/flash-player/apsb14-14.html). Successful exploitation of CVE-2014-0516 could result in sensitive information disclosure.
We have a few suggested high level workarounds below.  In addition, we’d love to hear solutions from the community and if possible work with one or two developers to iterate on our suggestions and improve these workarounds for future documentation.  If you are interested in helping, please feel free to reach out to me at [email protected].
ExternalInterface
We have blocked custom headers from navigateToUrl() when the URLRequest is a POST.
ActionScript could replace the use of navigateToUrl(url:URLRequest, name:String) with ExternalInterface.call(“jsNavigateToUrl”, url:String, name:String, headers:Array).
And the HTML could implement the javascript function jsNavigateToUrl(url, name, headers) which uses window.open() to request the new window from JavaScript instead of ActionScript.
NOTE: window.open() does not allow you to POST, but you can work around that using the stack overflow article window-open and pass parameters by post method.
Form Data or Url Parameters
The custom headers (that the player is now blocking) could be sent as form data, or url parameters.
The server could be recoded to accept this alternate delivery of the data.
If this isn’t an option (for instance, you are posting to a third party server), then your server can introduce a new url which processes the data in its new form before redirecting to the original url with the data delivered in its original form.
This mod_rewrite + mod_headers example explains something similar:
http://www.kahunaburger.com/2012/05/18/mod_rewrite-and-mod_headers-to-rewrite-headers/
In addition to Apache's mod_rewrite and mod_headers, HeliconTech makes mod_headers and mod_rewrite filters for IIS.
References:
http://helpx.adobe.com/security/products/flash-player/apsb14-14.html
http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/net/URLRequest.ht ml
http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/net/package.html# navigateToURL()
http://stackoverflow.com/questions/3951768/window-open-and-pass-parameters-by-post-method
http://www.kahunaburger.com/2012/05/18/mod_rewrite-and-mod_headers-to-rewrite-headers/

Our security model does not allow a movie to send HTTP headers across domains, unless the player has confirmed the receiving domain permits it with a cross domain policy file ( see Adobe ActionScript 3.0 * Website controls (policy files) ).
With navigateToUrl() we are unable to detect server-side redirects, so we are unable to confirm the actual recipient permits HTTP headers.  To resolve this, we elected to block HTTP headers from all navigateToUrl requests.
As noted by several customers, this has proved to be overly restrictive, so we are going to relax the restriction to allow simple headers with navigateToUrl requests.
Simple headers are defined by Cross-Origin Resource Sharing as
A header is said to be a simple header if the header field name is an ASCII case-insensitive match for Accept, Accept-Language, or Content-Language or if it is an ASCII case-insensitive match for Content-Type and the header field value media type (excluding parameters) is an ASCII case-insensitive match for application/x-www-form-urlencoded, multipart/form-data, ortext/plain.
In an upcoming Flash Player build, navigateToUrl() will be changed to throw the exception only when called with an URLRequest containing non-simple headers.  We're shooting to get this change in for our July release but this will of course depend on our testing results.  We'll be getting this into a public beta as soon as possible (possibly as soon as the next week or two.)

Similar Messages

  • Workbench and customized request

    What is the difference between workbench request and customized request

    Hi,
    Changes to cross-client Customizing objects and to Repository objects are recorded in Workbench requests
    In workbench request .... it can be programs (repository objects) and cross client data (ie not specific to one client).
    Changes to client-specific Customizing objects are recorded in Customizing requests.
    Customer customized data designed for a specific client is transported to another client using customizing request. Most of the cases these requests are something like changing values in tables (that too client specific).
    More precisely
    ===========
    Customizing request
    Customizing requests contain changes to client-dependent tables.
    Workbench request
    Workbench requests contain changes to client-independent tables.
    For more details
    =============
    Re: what is a request
    Re: difference between the Workbench Request and Customized Request
    Hope that helps

  • Changing colors/style sheets with custom header portlets?

    We would like write a completely custom header portlet (a standard portlet that is designated as a header, notusing the branding server), but I can't seem to find a way to change the style sheets in subportals when I do this.
    Am I missing something? Do you have to use the branding engine to control style sheets in subportals, or is there another way?
    Chris StoffelPortal DeveloperHalliburton KBR

    ------- developersupport wrote on 12/11/03 4:24 PM -------
    The way Branding accomplishes what you're looking for is by setting a portlet setting called "Portal-Style" on the header portlet using the EDK.  This setting can be set either as an Admin level or CommunityPortlet level setting.  When the portal loads a page with a header, it will check to see if the header has this preference set (first on the CommunityPortlet level, if the header is on a community, and then on the Admin level).  If so, the portal will cause everything to use the stylesheet specified in the setting value.
    The setting value is the name of the stylesheet.  For example, if you wished every page displaying the header to be orange, you could set the "Portal-Style" Admin setting on the portlet to a value of "mainstyle17", the orange-themed stylesheet.
    Perhaps I'm not setting the preference properly. Sniffing the HTTP headers between the gadget and portal servers, I do see:
    [HTTP_CSP_GLOBAL_GADGET_PREF] => Portal-Style=mainstyle17
    (I also tried it with Portal%u002DStyle, but neither works)
    The remote server header portlet doesn't seem to be picking up the fact that there is an admin pref to override the main page's stylesheet. Did I create the portlet wrong, or am I setting the preference incorrectly, or what? Thanks

  • How to find all those list of SAP standard and custom objects that are changed from a specific point of time

    Hi all,
    Please let me know the process to track or find all the SAP Standard and custom objects. that got changed from a specific point of time.
    Is there any function module or any table where this change log is maintained.?
    I just only need the details ,wheather that SAP standard or Custom object has got changed or not.
    Thanks in advance

    Hi RK v ,
    I really don't know what your actual requirement is , but if you want to know the objects as per the modification , then transport request will be much help to you .
    Have a look into table E070 and E071 .
    Regards ,
    Yogendra Bhaskar

  • Impacts in COPA of changing material and customer master data

    Dear experts,
    In my company we are considering following scenario:
    Currently mySAPerp 6.0 is implemented for all modules for the mother company.
    We have developed a new global template where there are significant changes versus the existing system, especially in the SD processes. Material and customer master also change significantly in terms of content in the tables/fields and/or values in the fields.
    The idea was to build the template from scratch in a new machine and roll-out all group affiliates, but now we are considering the possibility of making an evolutionary of the current system and try to stretch it to the processes defined in the global template.
    The scenario we want to analyze is: Keeping same organizational structure in terms of Company code, CO area and Operating Concern in existing SAP client and make an evolutionary of the existing settings to the global template processes.
    The doubts we are having are the following:
    Changing material & customer master data: Impact in COPA
    Option 1: Material master data and customer master data codes are maintained but content in the tables/fields is changed substantially, both in terms of logical content of specific fields and/or the values in the specific fields. We have following examples of changes.
    Case 1: source field in material master changes logical content. E.g. Material master field MVGR1 is currently used for product series (design line) and the content changes to be the Market Segment. The product series will be moved to a classification field. At least 5 other fields are affected by this. How can data in terms of COPA line items be converted so that they are aligned at time of reporting?
    Case 2: the source field is not changed so that the logical content of the field remains but the values change, i.e. for the same concept there will be different codifications. How can data in terms of COPA line items be converted so that they are aligned at time of reporting?
    Case 3: Characteristics where currently the source material master field is a Z field and the derivation is via table look up and where the Z field changes to a classification field. How can you convert the existing COPA line items to ensure that attributes are aligned? Should new characteristics be created or just change the derivation logic of the characteristic?
    Option 2: Material master data and customer data codes are re-created (codification of records is changed), meaning that new material and customer codes will exist and content in tables/fields is changed (as in option 1)
    Case: material and customer codes are changed. How can data in terms of COPA line items be converted so that they are aligned at time of reporting?
    Iu2019ve never phased a similar scenario and I fear that maintaining operating concern while changing source master data and also SD flows (we have new billing types, item categories, sales doc. Types, order reasons) may lead to inconsistencies and problems in COPA.
    I would like to ask you experts if you have come across a similar scenario and if from your experience, it is something feasible to do or there are many risks involved. What can be the impact of this scenario in existing Operating Concern for both option 1 and 2 and what would be the key activities to perform to adapt the existing operating concern. What will be the impact of the needed conversions on P&L reporting?
    Sorry for the long story. I hope you can help me out.
    Thanks and Regards,
    Eric

    Hi,
       First i think you will need to test if it works for new COPA documents created via billing.
      If it works fine then the issue is if you wish to apply these changes to the historical data already posted.
      Normally there are transactions like KE4S where you can repost the billing document to COPA
      However this may not be viable for bulk postings
      You can perform realignment (KEND) but this only works at the PA segment level (table CE4XXXX)
    regards
    Waman

  • Bapi For creation and change for Vendor Master and Customer Master

    I am looking for BAPI to create and change  Vendor Master and Customer Master which will not take me to standard SAP transaction but will work in the background
    Explanation: BAPI to delete material (BAPI_MATERIAL_DELETE) take you to standard SAP screen of T-Code MM06  but BAPI to create material (BAPI_MATERIAL_SAVEDATA) creates material in the background i.e. does not take you to standard SAP screen of T-Code MM01
    So in my case (i.e. to create and change  Vendor Master and Customer Master ) I want BAPI which would work like BAPI to create material (BAPI_MATERIAL_SAVEDATA)

    For general information,to find BAPIs associated with any business object :
    Transaction : BAPI - choose alphabetical tab - Find customer - (right side choose - tools - create bapi list and search ) , you will get all the BAPIs associated with this particular business  object
    Mathews

  • Report on Purchase order header changes and Line item changes.

    Gurus
    All changes which has been done in Purchase order can be seen in enviroment----Header changes Or Item changes for a particular PO.
    Now end user want to see the changes made in all the purchase orders for a particular project in specified date range.
    Suppose there are total 100 POs placed in one month for a particular project. End user want to see the changes MADE (IF ANY) in above POs
    Is there any standard report is available to this effect OR it is z development
    Atul

    HI ,
    This report can easily be written useing the tables EKKO and EKPO
    First get the PO's created in that date range.
    From there get the change document numbers with this extarct the date from CDHDR and CDPOS tables.
    regards,
    Lalita

  • Trigger CIF during custom field change on Purchase Req. and PO

    Hi,
    We added a custom date field in Purchase Req. and Purchase Order transactions (ME52N/ME22N) in ECC. When this custom field gets changed along with any other standard field, outbound CIF process happens. However, when we change this custom field only, then outbound CIF doesn't happen. I believe we need change pointers and may be custom code to trigger outbound CIF. I would appreciate any suggestions on how to achieve this functionality.
    Thanks.
    Naveen

    Hello Naveen,
    Use user exit EXIT_SAPLMEAP_001 here, the structure CIFPUORCUS must be enhanced with custom fields so that the document date can be included (IT_OUTPUT_CUS).transferred to CT_MM_DOC. You need to fill EBAN and EKPO for change transfer. Also you can have the background job for RIMODINI to transfer the changes.
    Best Regards,
    R.Brahmankar

  • How to Change Journal Header name to Custom Header Name while GL Importing?

    Hello Experts,
    I am in situation where customer wanted to keep their own journal header naming conventions to imported journals in Oracle GL for custom Journal sources.
    As I know while importing journals, Oracle Creates the Journal Name based on the below mentioned logic.
    "Journal Import creates a default journal entry name using the following format:
    (Optional User-Entered REFERENCE4)(Category Name)(Currency)
    (Currency Conversion Type, if applicable)
    (Currency Conversion Rate, if applicable)
    (Currency Conversion Date, if applicable) (Encumbrance Type ID, if applicable)
    (Budget VersionID, if applicable). If you enter a journal entry name,
    Journal Import prepends the first 25 characters of your journal entry name to
    the above format"
    But then How it is possible to only allow journal header Name to be used present in REFERENCE4 excluding all other string provided by Oracle? Instead of using omitted string custmoer wanted to keep their own parameters. Example - REFERENCE4.A.B.C etc.
    Is it possible to solve this using seeded setup or modifying some hook packages or anything else?
    As far as I know there can be one workaround to be use of updating journal header name after journal import being completed successfully for custom journal source. But only fear is Oracle doesnt allow updating the base table without API. Am I rght?
    So it would be really great if anyone of you can suggest the best solution or best possible workaround.
    Thanks

    Duplicate - How to Change Journal Header name to Custom Header Name while GL Importing?

  • Custom.pll and custom.plx location changed

    Hi Friends,
    I am having Oracle Apps 11.5.9 and i had the custom.pll and custom.plx on $AU_TOP/resource and make the changes there and it's working fine.
    Now suddenly the changes made on the file is not refelecting so i searchd the server and i could see another copy of custom.pll and custom.plx on the $COMMON_TOP/admin/scripts and the changes being made on this files is getting reflected(not the one from $AU_TOP)
    I don't know how this change happened.
    So Please let me know how to change the location of custom.pll and custom.plx from $COMMON_TOP/admin/scripts to $AU_TOP/resource?
    Regards,
    Arun

    Arun,
    How did you verify that the one which is used is the one under $COMMON_TOP/admin/scripts?
    So Please let me know how to change the location of custom.pll and custom.plx from $COMMON_TOP/admin/scripts to $AU_TOP/resource?Copy the CUSTOM.pll file back to $AU_TOP/resource, and compile the file again. Make sure both files (CUSTOM.pll and CUSTOM.plx exist under this directory), and bounce the application services then.
    Also, delete all CUSTOM* files under $COMMON_TOP/admin/scripts (take a backup of the files first).
    Regards,
    Hussein

  • Error when Compiling package header and body - how change pkb file associat

    Hi everyone,
    it has already been noticed elsewhere (in the thread "Compiling package header and body" of Jan 12, 2010) that the compilation of package scripts sometimes fails (apparently because of a sqldeveloper bug) when the script contains the terminating slash /.
    Is this bug still open?
    Next question: In the above mentioned thread it is recommended as workaround to change the corresponding file type association from pl/sql to sql. I would like to do that; I know the place in the preferences dialog, but most of the associations there seem to be hard coded and cannot be changed.
    I would appreciate any ideas!
    Thanks in advance,
    user8632123.

    For the workaround: you'd have to change the file's extension, not the association (to e.g. .sql).
    Have fun,
    K.

  • OSB to RestFul with Custom Header and Authentication

    I am trying to add to OSB a RestFul service which requires authentication and custom http headers.
    I am able to register the RestFul service as Business Service with following parameter
    - Service Type: Messaging Service
    - Request Message Type: None
    - Response Message Type: Text
    - Http Request Method: Get
    - Authentication: Basic (Service Account)
    When I test the Business Service in the Test Console, I passed in the custom http header and the content type and it did return back the JSON object I was expected.
    However when I then try to create a Proxy against it with the following parameter, I had problem running it in the Test Console. Although I did pass in the http header it still complained that I didn't pass in the header. And as for Authentication, I was not even able to specify a service account like how I did in Business Service.
    - Service Type: Messaging Service
    - Request Message Type: None
    - Response Message Type: Text
    - Http Request Method: Get
    Any ideas?
    Thanks

    What type of service account are you using ? If it is static you need specify the username/password in the PS. Also you do not specify service account for a proxy service. What is the error in the logs.
    If you have to pass the HTTP header use transport headers in your request, select request type as http and then set the content type and custom http header.
    http://docs.oracle.com/cd/E21764_01/doc.1111/e15867/modelingmessageflow.htm#i1125373

  • How to print jTable with custom header and footer....

    Hello all,
    I'm trying to print a jTable with custom header and footer.But
    jTable1.print(PrintMode,headerFormat,footerFormat,showPrintDialog,attr,interactive)
    does not allow multi line header and footer. I read in a chat that we can make custom header and footer and wrap the printable with that of the jTable. How can we do that..
    Here's the instruction on the chat...
    Shannon Hickey: While the default Header and Footer support in the JTable printing won't do exactly what you're looking for, there is a straight-forward approach. You can turn off the default header/footer and then wrap JTable's printable inside another Printable. This wrapper printable would then render your custom data, and then adjust the size given to the wrapped printable
    But how can i wrap the jTable's Printable with the custom header and footer.
    Thanks in advance,

    I also once hoped for an easy way to modify a table's header and footer, but found no way.
    Yet it is possible.

  • I have a custom template.  When I edit it and try to save it asks me to name it and then I end up with an additional custom template.  How do I edit the template and save the changes without creating another template?

    I have a custom template.  When I edit it and try to save it asks me to name it and then I end up with an additional custom template.  How do I edit the template and save the changes without creating another template?

    Hi Atrec,
    If you don't need your old custom template, save your changes with the same template name. It will tell you that this template exists and will ask you Replace? Say yes (if you do want to replace the old with the new!)
    To delete unwanted templates, go to Finder > Menu > Go and press the option key. Your Library will show in the Go Menu. Navigate to Library > Application Support > iWork > Numbers > Templates > My Templates.
    Delete any unwanted template by dragging it to the Trash or click on it then command-delete.
    Having gone to all that trouble to find My Templates folder, right click (or control click) on it and Make Alias. Drag the Alias to any convenient place for a quick way to get back to that folder.
    Regards,
    Ian.

  • Custom Header and Custom policy

    In one of my BPEL service I need to create Custom security policy which generated custom SOAP header.
    To be clear when we use Usernametoken client security policy, Soap header with username and password elements gets generated for a request payload. In the same way I need to create a client policy which generates custom soap header while request is sent.
    Can anyone suggest, how to do this.
    Sowmya

    Thanks Anuj all these says how to customize the existing policy
    But my requirement is to create a custom header in SOA 11g
    Example if we use WSSE UsernameToken Header, in SOAP request header we get as
    <soap:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsse:UsernameToken>
    <wsse:Username>username</wsse:Username>
    <wsse:Password>password</wsse:Password>
    </wsse:UsernameToken>
    </wsse:Security>
    </soap:Header>
    In the same way I want to create a custom header
    <soap envelope ch="namespace">
    <soap:Header>
    <ch::CustomHeader>
    <ch:customelement1>Value1</ch:customelement1>
    <ch:customelement2>Value1</ch:customelement2>
    <ch:customelement3>Value1</ch:customelement3>
    </ch:CustomHeader>
    </soap:Header>
    One of the options for this is to give an input header variable in the BPEL service invocation, but I do not want this way
    Is there any other way to create it in em console since multiple services use this header
    Thanks,
    Sowmya
    Edited by: 1004017 on May 10, 2013 8:20 AM

Maybe you are looking for

  • How can I listen to a song from itunes and play along with my guitar on ipad2/apogee jam?

    I am trying to utilze my ipad2 for guitar practce but having a hard time getting my technology under control.  I  have garage band as well as the apogee jam and I can easily hook it in and play, create songs etc.  But what I like to do is play along

  • Not printing black ink after new ink cartridge installed (HP Officejet Pro L7555)

    I have an HP Officejet Pro L7555 on which I just replaced the black ink cartridge.  Now it won't print in black at all.  I have tried cleaning the printhead multiple times to no avail.  I only get printouts of boxes in all colors except black and not

  • Wi-fi sync

    does anyone knows how to sync iphone to a macbook using wifi sync ? I want to use my iphone as a remote for a presentation, but I don't know how to sync it with my mac..

  • It all started with the updating, now my nano is DEAD

    I updated itunes to the most recent version, and when I synced my ipod, the songs were all gone. I followed the directions and got the songs back from the library. They were replaced on my ipod when I sync'd it and then when I updated the podcasts th

  • MapBuilder maps not updated in endeca studio

    Hi, I have created a map using mapBuilder and use it in oracle endeca information discovery , after making req conf in mapviewer and oeid framework settings. But when i update same map in mapBuilder changes not visible in endeca. Why ? As a temporary