Tired of managing certificates? Automate it with ZeroSSL   Learn about ZeroSSL Automation x

Flash + SSL + IE = WTF

Barton from phy5ics.com posted about his experience trying to load data via SSL into Flash using Internet Explorer.

I’ve been working on a project with a team of some of our really talented Flash developers (props Ben, Leon and Gabriel) where a Flex app being served from a non-secure URL via plain HTTP needs to connect to and consume data from another server via HTTPS and have run into some issues and a workaround that I’d like to share. For that particular project, the other server is a SOAP service running behind SSL with a Flex app served over HTTP consuming those services. However, these concepts also apply to any external data consumed by the Flash Player. A simplified diagram of the system is below:


HTTP/HTTPS Architecture Example

Pretty basic use case, right? Should be pretty straightforward once the usual suspects are addressed as follows, right? No, of course not, otherwise this article wouldn’t actually be helpful. I’ll start with the server environment and SSL certificates.

 He identifies the main problem as having to do with HTTP Headers:

So, despite having this configured with secure=”false”, there is another aspect to this that will be a pain if you test in Firefox and then try to get it to work in any version of Internet Explorer, as it will fail silently in IE. That is the issue of HTTP headers that are sent by a web server in response to a request from a browser. In IE, because it is the short bus of browsers, any HTTP responses sent from a secure context to an insecure one are ignored. I don’t know enough about the inner workings of IE to know why, however, it fails silently.

To get around this and allow HTTP responses to be received over SSL from a server, it is necessary to change either configuration at the web server level on https://dev.services.com or set the headers at a code level to ensure that the proper headers are being sent with HTTP responses. That HTTP header is as follows:

Cache-Control: no-store

There is a great deal of disagreement and contradiction on this topic, as can be seen with nearly every comment related to this blog post. However, according to my testing, and the word of my esteemed colleague, Robert Reinhardt, this is the one that indeed works.


Sanjeev Sharma, also working on a similar issue, pointed out the following Microsoft Knowledge Base articles:


Flash Player + SSL + IE7 = WTF (and a solution) - [phy5sics.com]

Originally posted on Sun Mar 16, 2008



I'm having this issue with a call from a Flex application that calls a .Net web service. While I can set the Cache-Control the web page that holds the swf, the issue seems to be that when I look at the header for the web service is call it is set to Cache-Control: private, max-age=0. Is there a way to set the Cache-Control dynamically in the Actionscript code that calls the web service such as:
var rh:URLRequestHeader = new URLRequestHeader("Cache-Control","no-store");
webServiceTools.httpHeaders= rh;

Advertisement • Hide