“Security error accessing url” in Flash 9,0,124,0

Adobe FlashIt appears the April update of Flash Player’s security policies have some implications for Amazon’s web services. Per the release information, it appears that is is no longer sufficient to have a crossdomain.xml file that contains <allow-access-from domain="*"/>:

In order for a SWF to send a header anywhere other than its own host, the origin domain of the SWF must have explicit permission from the host to which the header is being sent, in the form of a policy file. The existing policy file model will apply, with the same file locations and ActionScript APIs, but a new syntax will be required. To specify header-sending rights, use this new tag: <allow-http-request-headers-from>.

Without such an entry, whenever you use the WebService tag in MXML to access an Amazon web service, you’ll get the “security error accessing url” message. I currently have this problem with the following use of WebService tag:



...

This code functioned without issue until I updated to Flash Player 9,0,124,0. I’ve started a thread on the Amazon Web Services Developer Connection, so hopefully someone at Amazon add the appropriate <allow-http-request-headers-from domain="*"/> entry into the crossdomain.xml file at webservices.amazon.com to address this problem.

Hopefully this post saves some people a few hours of beating their heads against a wall. Unless I’m totally mistaken, and there’s a workaround that doesn’t involve using a proxy?

US Border Laptop Search Policies Are Scary

The Department of Homeland Security has revealed its laptop search policy. According to the Washington Post:

Federal agents may take a traveler’s laptop or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing, as part of border search policies the Department of Homeland Security recently disclosed.

Also, officials may share copies of the laptop’s contents with other agencies and private entities for language translation, data decryption or other reasons, according to the policies, dated July 16 and issued by two DHS agencies, U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement.

I totally saw this coming once the Ninth Circuit ruled border searches of luggage legal – and the Canadian Border is following the DHS’ lead. It was only a matter of time, as I predicted, before they argue that they need the capability to copy or retain data.

This should scare the bejeezus out of Canadians and Americans alike. The border services are notoriously incompetent, and it is inevitable that laptops and data will be lost. As a result, sensitive corporate or customer data will be compromised, identities will be stolen, competitive advantage will be lost, and a host of other consequences will be incurred.

What I find mind-boggling is that Senator Feinstein “intends to introduce legislation soon that would require reasonable suspicion for border searches”. In other words, to re-affirm that the fourth amendment of the US Constitution does apply at the borders. Talk about cat and mouse.

There’s one additional implication for Canadian companies now that this policy has been clarified. Under PIPEDA, companies must safeguard Canadians’ personal data. This has lead to many services, such as those storing Canadians’ health data, to be moved off of US servers due to the wide-sweeping powers of investigation granted under the US Patriot Act. The implication of this new laptop policy is clear: companies operating in Canada must not carry Canadian customer or employee data on laptops to the US.