By Vivek Negi
HSTS is an Internet Engineering Task Force (IEFT) standard that enforces the user-agents like browsers to use the secured HTTPS protocol for communication instead of the HTTP protocol. The HTPPS response header from a host may have a ‘Strict-Transport-Security’ (STS) header field, which requests the user-agent to always make subsequent requests to access that host using the HTTPS protocol only. Beginning with version 23, Flash Player supports the HSTS standard. Flash Player now acknowledges an STS header in the HTTPS responses received from the HSTS hosts.
HSTS support is particularly helpful in those Flash applications where an SWF calls another SWF (child) and this child SWF is located in an HSTS enabled host. When the parent SWF tries to access the child SWF, the host sends an STS header in the HTTPS response. This STS header is acknowledged by Flash Player. Therefore, all the subsequent requests for the child SWF by the parent SWF can be made only through the HTTPS protocol.
The figure below depicts a workflow of how the HSTS enabled hosts and the non-HSTS enabled hosts interact with the browsers and Flash Player.
In the figure above, the browser is loading a Flash application that has two SWFs ─ outer.swf denoting the parent SWF and inner.swf denoting its child SWF. The non-HSTS host doesn’t enforce the browser (user-agent) to use the secure protocol, that is, HTTPS. The workflow, as depicted in the figure above, when the browser accesses content from the HSTS enabled host is described below:
- The file container.html loads outer.swf in the HSTS Host (hsts.host.com).
- The browser sends out request #4 through the non-secure transport as the URI for outer.swf is specified with HTTP scheme in container.html.
- The browser receives a 301 Moved Permanently response from hsts.host.com as the server is an HSTS host and stops communicating using the non-secure HTTP protocol.
- Browser now sends out request #6 through the secure HTTPS protocol based on the Location header field as shown in the response #5 301 Moved Permanently.
- Browser receives the response #7 200 OK and notes hsts.host.com as a ‘Known HSTS Host’ as the response message has a Strict-Transport-Security (STS) header field. From this point onwards, any subsequent request to this host by the browser will be made using the HTTPS protocol.
- Browser passes the outer.swf stream to Flash Player with the response headers.
- Flash Player also notes hsts.host.com as a ‘Known HSTS Host’.
- Flash Player loads outer.swf and runs ActionScript in it.
- outer.swf loads inner.swf using URLRequest with the parameter http://hsts.host.com/inner.swf.
- The earlier versions of Flash Player, in the absence of HSTS support, would have made the request through the unsecured HTTP protocol. Flash Player 23, however, sends request #11 through secure transport as hsts.host.com is a ‘Known HSTS Host’.
HSTS support in Flash Player can be very useful in various aspects, but most importantly it makes Flash Player more secure than its previous versions.