Free Adobe - Macromedia Flash Web Site Design Tips, Flash Tutorials » Blog Archive

Flash8: Security problems

Wednesday, November 9th, 2005

I have problem with security settings in Flash 8. Macromedia implements new security to Flash 8 because they think that flash player may have security holes. It’s nice, but problem is with backward compatibility, and I think, that’s big problem.

So example.

You have application on web, which should play “many” long videos to its users. It would be problem download many MBs of videos, so you rathers store videos on user’s hard drive. (No matter how you will copy videos to user HD, e.g kiosks). But now it seems, that you cannot load any file from local disk, if your application is on web. It is possible in Flash 7, but not Flash 8.

I have tried allowDomain commands, set settings in Macromedia Global Privacy Settings Panel, try all I know to load video from HD, but I had no succes, it seems, that this is not possible in Flash 8?

Am I right? If yes, that’s problem, because imagine situation: You have application written in Flash 7, and have million users, and now they upgrade their flash player to 8, and they will see no videos I think, this is problem.

So, anyone, please tell me, if it is possible to handle such situations? Anyone from Macromedia tell us, if this is possible. We have our clients, which choose us, because we had convinced them, that Macromedia have wonderful tool called Flash, which can do such thingy. So now Macromedia convince us, that we were right!

This is some text prior to the author information. You can change this text from the admin section of WP-Gravatar I'm living in Bratislava, Slovakia. I'm Senior Flex, AIR Developer for my own company Flexets. Read more from this author

tagged under:

Digg | Del.icio.us | Stumble | Reddit

ABOUT THIS AUTHOR

Franto

I'm living in Bratislava, Slovakia. I'm Senior Flex, AIR Developer for my own company Flexets.

Get a Trackback link

1 Trackbacks/Pingbacks

Pingback: Franto.com Flash blog » Flash8: Security problems - still no solution on December 12, 2005

33 Comments

Richard
• Visit Site
November 9th, 2005

Been a while since I looked at this, but can you not just wrap it up in a standalone projector? Still a pain for other sorts of app that ideally would run in a browser, load in local config, and access live webservices - which isn’t all too uncommon.
Administrator
• Visit Site
November 9th, 2005

i did not try standalone projector, because it should be in browser, projectors will be the LAST try
gld
• Visit Site
November 9th, 2005

nice blog but where is the anwser this problem is suck
standalone projector is ok but in browser not work as you said.
Administrator
• Visit Site
November 9th, 2005

gld, I wrote this article to find the answer, I do not know the answer, I WANT SOMEONE TELL ME THE ANSWER
Administrator
• Visit Site
November 9th, 2005

it seems, that it should be possible:

fplayer8_security_03.html

Quotations:
Finally, authors and users can configure Flash Player to elevate a SWF to a trusted status where it has both privileges—in other words, the SWF will have exactly the privileges it had in Flash Player 7.

Local-trusted: This sandbox has no restrictions. It offers the same open privileges as all local files were given in Flash Player 7. Any local file may be placed in this sandbox if given authorization by the end user. This authorization may come in two forms: interactively via the Settings Manager or noninteractively via an exectuable installer that creates Flash Player configuration files on the user’s computer.

But, it doesnt work for me, I have add my swf from local filesystem to settings manager as trusted, and it doesnt load from web
Tom Lee
• Visit Site
November 9th, 2005

Check out the security whitepaper at http://www.macromedia.com/devnet/flashplayer/articles/flash_player_8_security.pdf.

You can probably get what you want via either the configuration file of the Flash Player Trust Directories.
aardvark
• Visit Site
November 9th, 2005

o shit, you’re kidding right?! We’ve got oogles of video and audio content that we deliver to our customers because, most of our customers don’t have the bandwidth to enjoy quick downloads; however, we maintain the main application on our servers, tis loaded in the browser. Are you saying that when our customers recieve a notice from the recently activated auto-update, and upgrade to flash 8, our software will no longer be able to load the video and audio we’ve distributed?
Administrator
• Visit Site
November 9th, 2005

aardvark > not kidding, I just cant figure it out, how to achieve this, all seems, that it should be possibly with Configuring Files into the Local-Trusted Sandbox. but till know, i’m not able to do it…
I hope I will do it… we have already problems with our clients
aardvark
• Visit Site
November 9th, 2005

this could turn into a nightmare… didn’t the auto-update go live nearly 30 days ago? So, even Flash 7 will begin notifying users very soon that they should upgrade, even if the content/application requires only Flash 7? We can’t stop this can we? As soon as someone gets that notification they’ll probably just click, ok and install Flash 8. Soooo, then we are going to start recieving tons of calls.

Does the new security stuff apply if we just say screw the browser distribution and wrap our main application with some swf2exe, like Zinc or Screenweaver? I think with our next content distribution we could distribute a wrapper that would download the main application into the wrapper and therefore run locally, not within the browser… sort of a mini browser without the sandbox rules… I dunno, just sorta brainstorming right now… I should’ve been keeping up with the new security changes BEFORE the release, damn damn damn.
Armand
• Visit Site
November 9th, 2005

My understanding is that if the fash application is loaded from a URI, it CANNOT access local content - period.

If the application is loaded locally, it can access either local files OR network files, unless it’s trusted, in which case it can access both kind of resources.

You can make an application trusted by using the Trust Directories. The Whitepaper doesn’t specify what the Trust Directories should contin, I got that from a different article on MM website.
aardvark
• Visit Site
November 9th, 2005

The whitepaper is actually at http://www.macromedia.com/devnet/flashplayer/articles/flash_player_8_security.pdf
aardvark
• Visit Site
November 9th, 2005

Flash Payer 8 Security
Administrator
• Visit Site
November 9th, 2005

Armand, you’re right, but still cannot convert swf to trusted status

aardvark I want to you write email, but it is seems that is problem with your email you wrote down in comments
Administrator
• Visit Site
November 9th, 2005

Creating configuration files for Flash development
Administrator
• Visit Site
November 9th, 2005

i’ve created cfg file as it is written in link above, add it to right place, but still doesnt work…
gld
• Visit Site
November 9th, 2005

>admin
its now work.
gld
• Visit Site
November 9th, 2005

sorry doesnt work
John Dowdell
• Visit Site
November 9th, 2005

Sorry, but I’m lost now… for whom is what still not working? If you had a single-sentence “what” or “how” question for others, then what would it be?

(Yes, in browsers now, local is local and remote is remote, but the security whitepaper, technotes and other resources cited there show how to achieve most goals.)

jd/mm
Administrator
• Visit Site
November 9th, 2005

Hi John, welcome here…

As far as I know, nobody can do this in flash 8:

Make swf: loader.swf upload it to web server, e.g http://www.franto.com/loader.swf

Make another swf: test.swf copy it to localfilesystem on c:\test.swf

and then load test.swf from loader.swf (load file from localfilesystem to swf on net)

I have try to add test.swf to trusted location in Settings manager, also i was trying to make cfg file for it (file, or folder), but nothing works

Can you tell us, what is right solution for this, and maybe give us working example?

Thank you
John Dowdell
• Visit Site
November 10th, 2005

“Can you tell us, what is right solution for this, and maybe give us working example?”

Sorry, I’m short-sleeped today, and between all the posts here and all the posts in the parallel discussion on FlashCoders, I’m still not sure what the single-sentence answerable question is.

There are ways to combine local and remote content in browsers with the new Player, and it sounds like you’re following a particular page of docs and are not getting the results they say, but that’s as close as I’ve gotten in reading this thread, sorry.
g.wygonik
• Visit Site
November 10th, 2005

john - i think the single line question would be:

“What does a Flash developer have to do to make a Flash movie that runs in the browser from the net access local assets, given that all the methods Macromedia list have been tested and do not seem to work?”

and then, perhaps:

“Can Macromedia please make some sort of document or post that clearly states how to do this, instead of having to read through multiple web sites, PDF white papers, and several blog posts?”

whew!

g.
John Dowdell
• Visit Site
November 10th, 2005

> What does a Flash developer have to do to make a
> Flash movie that runs in the browser from the net
> access local assets

Thanks — something in this form makes sure I don’t misunderstand….

But I don’t know offhand, and I’m packing for a half-day plane ride tonight, and so can’t research effectively right now. Have you tried contacting Macromedia Support, asking if they can successfully replicate certain instructions on the website?

What I’m thinking is… if support staff also find that the instructions don’t lead them to the expected results, then they can work to get it fixed… there are built-in incentives to getting it right.

(On the other hand, if support staff find that the instructions lead to the desired results on their end, then that’s a tipoff that we need to find the difference between the two cases… they may send you a simple file to see if it runs on your server, so we can distinguish permissions issues from other causes, etc.)

I’m sorry I can’t personally follow on this past this point, but does checking with Macromedia Tech Support sound like a workable way to make some progress here…?

tx, jd/mm
Administrator
• Visit Site
November 10th, 2005

g.wygonik Thanks, you are riight
John - ok I will contact support staff, and we will see if they help us
Naz
• Visit Site
November 10th, 2005

What a nightmare!!!
Administrator
• Visit Site
November 10th, 2005

Ok, i have mailed to Macromedia support staff, and waiting for response
Alex Dodds
• Visit Site
November 10th, 2005

Hate to say this but I’ve seen very similar before on John Dowells blog at:
http://weblogs.macromedia.com/jd/archives/2005/10/mikes_cd_projec.cfm#comments

Somone wanted to know how to get flash+html content already produced running on a CD working with the new flash 8 player - all content suddenly broke because it needed to call javascript in the pages themselves (ie. local only) - that is completely blocked by default with flash 8.

No good answer came out of that apart from each customer would have to individually set their own security settings to put the entire CD drive as trusted. What they do if they don’t have internet access or don’t have the tech know-how to use the security settings I don’t know. Seems a shame to have not considered the implications of this for backwards compatibility.

Given this applies to any content made to run on CD in flash 7 or earlier - there’s going to be a lot of broken content out there.
Administrator
• Visit Site
November 10th, 2005

There is possibility to create Config files on HD, so not to be connected to the net, but must working till now I dont know way to make it running
glad
• Visit Site
November 10th, 2005

hi,
i found a way to run this app.
you must create 2 files. first file is in local, second file is in web. they communicate each oders. xml.load doesnt work in flash with allowDomain and local playback security that is access network only. but loadMovie works with the same settings ( System.security.allowDomain(”*”) and local playback security that is access network in publish settings ). than i loaded the web-based swf in local-based swf and than it’s alive

i’m sorry for my english it’s not very good. i hope i can explain my way.
Administrator
• Visit Site
November 11th, 2005

Sorry, i dont understand, can you contact me?

MSN: franto@franto.com
ICQ: 132-636-916
sympleton
• Visit Site
December 12th, 2005

Have you heard anything definitive from Macromedia?

Either Flash 8 was designed to prohibit a browser-based swf from accessing local files or it wasn’t. This issue is pretty much black and white.

I was relying on this functionality as well so I too would very much like to hear THE ANSWER. Though I think I already know it: NO.
Chris Gannon
• Visit Site
January 26th, 2006

1. Create ‘local.swf’

2. Create ‘network.swf’

3. In ‘local.swf’, place a button with this code:

loadMovieNum(”http://www.yourspace.com/network.swf”,2);

4. Upload ‘network.swf’ to the above URL

5. Run ‘local.swf’ IN THE FLASH 8 PLAYER NOT THE BROWSER

6. Click your button to load ‘network.swf’

7. When the security box pops up, click Settings, then Edit Locations>Add Locations>Browse for file

8. Find your ‘local.swf’ and select it

9. Shut the browser window that opened

10. Now, open your ‘local.swf’ EMBEDDED IN HTML IN A BROWSER - click your button again

11. ‘network.swf’ now loads

12. Make sure in your Flash Publish settings you have selected ‘Local Playback Security = Access Local Files only’ - (not sure if this makes a difference actually)
Werbeagentur
• Visit Site
December 25th, 2007

Hi Franto,

i add you on ICQ… Please accept me. Thanks
jacopo
• Visit Site
April 17th, 2008

adobe’s documentation is confusing about this, please check:
http://www.sephiroth.it/phpBB/showpost.php?p=32295&postcount=4