Flash Player 10 Security Issue Resolution

I had posted earlier concerning a strange issue with Flash Player 10 where the SWF would refuse to load if being served over a Java servlet.  We’ve been able to resolve the issue by explicitly transferring any SWF content with a “Content-Disposition” header of “inline” as suggested by Adobe.  The relevant portion of this document is replicated below:

Starting with version 10,0,2, if Flash Player sees a “Content-Disposition: attachment” header while downloading a SWF file, it will ignore the SWF file rather than play it. Note that this restriction applies only to SWF files and not to other types of content, such as images, sounds, text, or XML files, policy files, etc.

If you control the HTTP server on which the SWF file resides, determine whether you trust the SWF file to execute in the server’s domain. If so, remove the “Content-Disposition: attachment” header by changing your HTTP server’s configuration.

While our resolution did differ slightly from the one posted above.  It effectively does the same thing.

What’s Up with Flash Player 10 Final???

It seems a lot has changed from the release candidates to the final version- a lot of things people did not expect.  For instance, last minute surprise changes to the Sound API… and then the previously announced security changes that Adobe has, in fairness, warned us about since Flash Player 9.

I’ve stumbled across something that I cannot understand in one of our Java applications.  This is something that worked fine in 10.0.0.525 but is now broken in 10.0.12.36:

Simply put- a SWF (any SWF) that has loaded just fine in all previous versions of the Flash Player (including FP10 RC builds) now completely fails to load.  I’ve looked at a number of different things but cannot figure this one out!

I’ll update this as I find answers.

Flash Player 9 FSCommand() Bug

I’m working on a rather large AS3 project through Fractured Vision Media which relies on the flash.system.fscommand package to properly transmit data from the application to its container layer. Unfortunately, we’ve come across a bug in which FSCommand calls are ignored! Through some quick research (e.g. Google) it was discovered that more than a few others have come across this problem as well.

The workaround for now is to be sure you are generating unique argument strings to pass through the FSCommand. This could involve changing the case of different characters in your argument string or appending a unique ID bassed off of something like the current time.

Does anyone know the status of this bug? Will it be patched in “Moviestar”? Seems pretty major to me…

Recent BETA Items of Interest

So, to delay my unavoidable participation in the initial “Flex/AIR/Flash” waterfall effect, I’ve waited till now to post anything about the massive new beta releases that have been available since last evening.

Flex Builder 3:
LOVE the new CSS design view. LOVE IT! I’m sure there are plenty more features of direct interest as well, but this is the one that really opens things up for me.

I initially came from a design background and gradually evolved into a developer as necessity demanded and curiosity gnawed. Having both design and development tools in the same IDE makes for a truly integrated experience. This is something those of us coming to Flex with a solid history of Flash development can really appreciate.

I’ve always found Flex Builder to be a bit too pricey to purchase for Fractured Vision Media. Until a few weeks ago, no clients had approached me concerning Flex specifically. With all of the new features in this version of Flex Builder, and the increased popularity of Flex over the past few months, it may become more difficult to avoid a purchase when Flex Builder 3 is finally released later this year.

Adobe Integrated Runtime (AIR):
Nice new additions since the Apollo alpha. Drag and drop, clipboard, PDF, auto-update, SQL DB, connections monitoring… all great stuff. Not much time to use it yet- documentation says SWF files which are part of an AIR app will not need to rely on crossdomain.xml files… my experience is quite different :(

Why can’t I grab stills from a rtmp stream??? Please fix this, Adobe!!! Fix it in the general Flash Player as well for regular SWFs. If I own a Flash Media Server stream, and I own the SWF file accessing it, there should be some way to allow me access to the BitmapData.draw() method!!!

Flash Player 9 Update 3:
Taps into the GPU? Dual processor support? Multiple fullscreen enhancements? Almost more excited about this that all the rest!

Apple Safari 3:
For Windows??? Weird

Never much liked Safari on OSX- now people will be using it on other platforms too? What a nightmare this will be for debugging JavaScript…

Fullscreen Flash Player ‘Gotcha’

I’m not sure whether this should be classified as a bug or not. I’m currently working on a project which utilizes the new fullscreen capabilities of Flash Player 9. The module in question retrieves images, audio, video, and other objects for display one-by-one in an individual presentation format. One thing we’ve included in the application is the ability to link to external video from YouTube, iFilm, Yahoo Video, or wherever a user’s personal video material may be hosted. This is where the problem occurs. Flash Player security policy dictates that data linked across domains cannot be loaded into the player without explicitly allowing such communication through a crossdomain policy file. Seeing that we allow the inclusion of so many different video services for this application, it isn’t really feasible at this time to try and either load videos through the help of individual service APIs or to find some other way around these security restrictions on a per service basis. We currently handle this by displaying a message telling the user to click through to the video, essentially invoking a getURL() and opening the video in a new window or tab. When using this presentation module in fullscreen mode, invoking a getURL() will actually crash Firefox. It seems to function just fine in other browsers tested. For the meantime, I’ve set the external linking method to first pull the Flash Player out of fullscreen mode and then invoke getURL() which works just fine.

1
2
Stage["displayState"] = "normal";
getURL(videoURL, "_blank");

It seems this would be more of a Firefox bug than one involving the Flash Player itself. I wonder if anyone else has any insight to this particular issue? The workaround I have implemented works fine for now- but it is not ideal from a user perspective as they are automatically pulled out of fullscreen mode back into the browser. Perhaps this may be a good Apollo option?