-1

I work at a company that makes a web publication software. Yesterday I've stumbled upon the strange bug with opening links from a flash. The link was to a page on linkedin.com site, but maybe it's not the only case.

Here is a test publication: http://cdiem.cld.bz/Link-test (Click the "Product guide" text, there is the link to a page on linkedin.com)

For some reason it opens as a plain text in Chrome and Opera (and maybe other Chromium-based browsers), but works fine in Firefox and IE. It also works fine from HTML version of the publication (disable Flash plugin to see it). And it also works fine if you just reload the page.

My guess is that it has something to do with the X-Requested-With header field, cause it's the only thing I found that differs between the HTTP request from Flash and HTML versions of publication:

X-Requested-With:ShockwaveFlash/16.0.0.305

Could anyone give any advice on that?

Eugene L.
  • 3
  • 2

1 Answers1

0

I think that you are right about X-Requested-With.

Take these two tests that I did using hurl.it where you can test HTTP requests :

First test : just request our page.

Request headers :

Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: runscope/0.1

Response headers :

Cache-Control: no-cache, no-store
Connection: keep-alive
Content-Encoding: gzip
Content-Language: en-US
Content-Length: 6156
Content-Type: text/html;charset=utf-8
Date: Thu, 05 Mar 2015 21:10:50 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
...

Here we can see very clear that server has sent a text/html content.

We do the same test but we will just add the X-Requested-With header.

Second test : request our page with X-Requested-With header.

Request headers :

Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: runscope/0.1
X-Requested-With: stackoverflow_test

Response headers :

Cache-Control: no-cache, no-store
Connection: keep-alive
Content-Encoding: gzip
Content-Language: en-US
Content-Length: 3602
Content-Type: text/plain;charset=UTF-8
Date: Thu, 05 Mar 2015 21:21:06 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
...

This time we can see that the server has sent a text/plain content.

So it's clear that the server is changing the Content Type to text/plain when receiving a X-Requested-With header which is sent by Flash Player PPAPI (used in Chrome and Opera) like you can see here.

Hope that can help.

akmozo
  • 9,829
  • 3
  • 28
  • 44
  • Thank you! I wonder if they do it intentionally or not. P.S.: hurl.it seems like a very useful tool, didn't know about it, tnx. – Eugene L. Mar 07 '15 at 15:36
  • Sure intentionally, because it's used for security reason, take a look [here](http://stackoverflow.com/q/17478731/2256820), and [here](http://docs.brightcove.com/en/video-cloud/concepts/cors/cors.html)... – akmozo Mar 07 '15 at 19:41