[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Inject Authorization Header into WebView on Mobile

Hi Bill:

The way we do this for a Stage based PDF viewer (ANE) is to provide an API endpoint on our back-end server that requires the Authorization header and a resourceId. It then returns a temporary URL to the resource. So it's two steps:

1. Call the API with auth header and resourceId. Response contains temporary URL to the resource.
2. Pass the temporary URL to the show() or load() function on the StageWebView service.

However, if the resource request itself requires Basic authentication and it's not in your control (some other server), then this won't work and I'd recommend you ask the ANE authors if they could support Basic auth for resource URIs. 

But if you host the resource yourself you can do whatever you want. For example, you can get even more secure and include a query parameter in the URL returned in the API call response that contains a hash of some kind that can be used to verify the request is from a valid source.

You can also expire the URL after some period of time to be even more secure, like in 10 seconds that URL no longer points to the resource. 

I echo Olaf's wish for good luck.