Simeon Says

I just wanted to post this little reminder for folks to do their upgrade. I have been very happy with Fusion since jumping over from parallels about a year ago.

One of my biggest pet peeves about fusion was that when I started my Boot Camp partition it always asked for my password. But the box that popped up didn’t have focus so I had to actually grab it and then input my password. So stupid but I am not a mouse guy, I move via the keyboard, and this was a big issue for me. That has been fixed.

I see on the site that they are claiming Directx 9 support now. I am not much of a gamer but that has to be some good news for someone out there.

I did the upgrade and updated my vmware tools and have not had a lick of trouble. So remember to go update, cuz they might have fixed something that bothers you too

I posted about one of the new restrictions of Flash Player 9.0.115 over here on my blog. http://blog.simb.net/2008/01/17/urlrequestheader-in-as3-can-not-use-authorization-header/

In that post, I explain how the sky is falling and that we are no longer able to use the Authorization header with the URLRequestHeader object. In the post I incorrectly state that the problem does not exist in Flex and AIR, but only in AS3. But that based on the documentation, it should not work so I expect it to fail soon.

As it turns out the problem is limited to Flash Player and some contexts of AIR. So here is the run down. SWF applications that are created in any form that are intended to run in the browser, no longer have access to this header. So whether they are created with Flex 2, Flex 3, AS3 or Flash IDE. If its headed for the browser and your user has updated to Flash Player 9.0.115 this code will error. If your application is headed for the AIR platform, you are in better luck. Any content loaded into the Application security sandbox still has full access to all headers. Only content that is loaded into a secure sandbox will be restricted.

So did I over react to the problem? Maybe. Only because I could not imagine how a change that could affect so many applications, could slip through so quietly. This is one of the first times I can ever think that a release of the flash player has openly broken backwards compatibility. I understand the reasoning for it, but it is a bit of a blow to my flash platform unified runtime theory, just like in the browser, I now have code that can behave differently for separate users.

What does this mean? Well I have to get back to work on the Freshbooks API, and have the Freshbooks guys label it as an AIR library since it wont work in flash player.

I started this morning thinking I would write my fourth rant post this week. But I decided to tone this back a bit and see if I could bring some useful discussion and clarity to a problem.

So to throw a little bit of background into this for the uninitiated, Adobe AIR applications come in 2 flavors. The first is that the application is created using a tool (flex builder or flash IDE) that outputs a swf that has all the wonderful stuff you code into it. All written in MXML, and AS3. The alternative is to create your application using HTML and JavaScript. In which case a cute little swf with an HTMLLoader loads up your content and your application is built entirely in HTML and JS.

Obviously these 2 road have different learning curves, but both are intended to let you build desktop applications with tools that are familiar to you.

So the non-rant. JavaScript is a dynamic, interpreted language. So you can construct something as a string and eval it into an actual js object. So at runtime you can construct new objects and alter the behavior of existing ones. This can be a very powerful and very dangerous tool.

Because AIR applications run on the users computer with all the rights and privileges afforded to any other application, these dynamic abilities can pose a very serious threat. An example could be one where the application loads some JavaScript from a remote domain and would use that content to load objects into an application. Think JSON here. If that remote JS was hijacked in some way it could have very serious effects. Things like deleting all the images from a users computer. Or loading up dangerous content. Even something as simple as taking your mild mannered application and turning it into a porn portal.

To help us combat these problems the AIR development team has constructed different security sandboxes that content gets loaded into. Any files that get installed with your application and live in the application resource directory, have full access to all of the air runtime. Any files that are loaded from any other source run in limited contexts and do not have access to the air runtime directly.

The assumption here is that if you installed the scripts with your application they are safe. If you read through the documentation on the secutity, all the examples listed specify that this is to protect you from remote vulnerabilities.

This seems very reasonable to me. Remote content, no AIR runtime. If I want to give that content access to AIR runtime features I expose an API for my application through the sandbox bridge. This makes total sense.

However there is one piece of this security that I have left off. And its the part that brings me the most frustration. In the application security sandbox the AIR developers have limited the functionality of JavaScript by disabling eval. The idea is that because this application sandbox has access to all the AIR api’s that they should not allow dynamic evaluation. They have provided through the use of bridges a way to communicate with the limited sandboxes and allow evaluation, but you can not in the root context.

The result of this is that many/most javascript frameworks which rely on the eval method to execute code, must be run in a security sandbox to function correctly. Even if your application makes no use of any outside content at all, your application functionality has been cut off at the knees and you must work around the security sandboxes. However since any content loaded from a remote source will get loaded into a secure sandbox that has no access to these api’s I really think the whole issue is moot.

I guess it comes down to this. I understand and agree whole heartedly that content loaded from remote sources should not have access to the AIR api’s. But I don’t think that the application security sandbox should have lessened functionality.

I think that in an effort to make sure that AIR doesn’t get used for malicious purposes, they have decided to treat developers like they are incompetent. Its like they are saying “here is a fork, but we don’t trust you not to stick it in the outlet so we are turning the juice to the outlet off. We don’t care if you need the juice for your computer. No juice for you”. Because in the application security sandbox the only thing running is the code you installed with your application.

So what do you think? I’ll be honest I love dynamic languages and I think that this is one of the only reasons I would build something in JS over AS3. Is this something that bothers you? Or do you think they really just have our best interest at heart. I really am curious.

Just wanted to take a second to remind everybody to tell Ryan Stewart happy birthday. Our favorite RIA evangelist is turning the ripe old age of…. hell i dont know I think he is gonna be 26 or 27 (13 going on 40)?

He is going to celebrate his birthday this week by hitting the road and talking to people in Portland, Seattle, Las Vegas and Sacramento about AIR and Flex 3. So make sure you take the time to give him a great big hug and buy him a beer.

Ok, so I had my first WTF moment last night in trying to be more AS3 and flash happy. I started the FreshBooks API AS3 Library, and I tested it in Flex 3 and AIR. It worked great. Just so that the FreshBooks folks would know I started the project, I hit their contact us form and let them know. I was reading the API docs the other day and was surprised to see that they had added my library to the list of projects. How Cool! The only rub was they labeled it as a Flash project. That got me wondering if I had used anything that would keep it from working in Flash.

I scanned the code and was very pleased to see that the only class that would be an issue was ArrayCollection. So I changed that up and made and array out of it. No Sweat. Everything compiles and I am a happy guy. So I run it to test it out.

ArgumentError: Error #2096: The HTTP request header Authorization cannot be set via ActionScript.

Wait, what?!?! I set it via actionscript in a flex project with no issues. How is this different? Well I dug a little deeper and here is the rub. In the livedocs for AS3 URLRequestHeader its specified that Authorization is a reserved word. But in the class docs for Flex 2 URLRequestHeader it is not. Although I thought last night when I was looking at this the Flex 3 livedocs for URLRequestHeader didnt list it, it apears to. The problem is, this code works in Flex and AIR, but not in an AS3 only project.

First question is why is it reserved in AS3 and not Flex. Second, why does it work in Flex 3 when it shouldn’t. Third, how they hell am I supposed to authenticate against remote services without this?

I appeal to the flash gods that are smarter than me. Please set me straight

When I saw that Macromedia was being bought by Adobe I felt like the rug had been pulled out from under me. When Microsoft invested in Facebook, I didnt wait to see the ramifications, I closed my account. Now I see that MySql has been bought by Sun, and my first thought was “Time to learn Postgres”.

But here is the thing, Adobe has done great things with Macromedia’s products. They added money and reach to some tools I thought were the best of breed. I still feel fine not being involved with Micro-Book (Face-Soft?). And I really like Sun, I always have. So I decided I had better put some more time and thought into the MySql deal rather than just write them off.

Sun is a company that is working hard to support Open Source software. They have partnerships with most of the Open Source OS vendors, and have always put time and money into OSS projects. So why do I worry about mysql? Or any of my favorite projects being bought up?

I think it all comes down to one thing. I dont believe in corporations. I feel that they are bureaucratic, wasteful, and unresponsive to users. I feel like once a company goes public their responsibility is to their investors and not to the end user, and I can’t support that. I feel like corporations and the “must protect ourselves” attitude they employ are one of the biggest reasons our country is falling apart (stupid lawyers suing everybody).

Most of all in these things I feel that I am a hypocrite. Because in most of the things I do in my day I support these big companies. So I am as much a part of the problem as they are. I shop big chain grocery stores, I use my expensive apple products, I drink my $5 cup of coffee. But here is the crux of my argument. I do attempt to support the little guys in the things I feel I really have a choice in. I support Open Source software. I am a member of the EFF. I use products from small privately held companies as often as I can, as long as they support my open attitude. I feel like these companies have a much greater responsibility to they users of their products, and as such I expect more from them.

My problem with Sun buying MySql is that I am afraid they will become part of the big corporate mess that is America. Its not really about me not liking Sun. Its about me being afraid they will break MySql. Two years later i am very happy with the Macromedia and Adobe “merger”. I hope that I will be able to say the same things about Sun and MySql.

But my closing thought for this post is this. Support the small business, and do what you can to help others around you. Everybody has to make a buck, be aware of where you spend yours.

I posted about the Flex Roadshow here and here. Ryan Stewart from Adobe will be here next Tuesday to share with us all the goodies in Flex 3 and AIR which are both soon to be released. Only problem: We only have about 10 registration slots left. Thats right folks, there are over 100 people registered for the Portland event, and we only get 120 at the venue.

So if you have not registered yet, be sure to do it quick. Should be a great show, with good swag, software and friends to mingle.

Alll the information is on the PDX RIA site.

Ok, so polygeek posted this neat little swf the other day. He had a swf which contained a TextField and he had applied a drop shadow to the text. Then he updated this so that when you moved your mouse cursor around, the drop shadow moved as if the cursor was the light source.

I though this was pretty cool, but polygeek only took the angle into account. I wanted to have the distance of the shadow set dynamically as well. I thought this was a perfect opportunity for me to do something in pure AS3. So here is what I wanted to do. Draw a border around the stage and set up cross hairs for middle just like polygeek did. Then center my text and apply the drop shadow. Then use an MouseMove event to update the drop shadow.

This is where the value of the Flash IDE comes in. I bet it took polygeek under 2 minutes to set up the display portion in his fla. I spent several hours leaning what a TextField is, how to format it, How to draw and why my lines where not where I thought they should be.

In the end I had a class with a constructor that was 50 lines long. I didnt like that at all. So I created a CrossHair object that is responsible for drawing the box and lines. Then I created a Label object that handled the formating of my TextField. Now things were looking like what I wanted.

The only thing I wanted to change from polygeeks example was to add a dynamic distance. That took me all of about 15 seconds.

In the end I am happy with the results. Just for fun as I was writing this I redid the example in mxml, utilizing the centering constraints and the styles to format the text. Whole process about a minute. So why bother with the AS3 version? The flex version of this application output a final swf that weighted in at just over 150 Kb. The AS3 version? 12 Kb. Twelve!

So while bandwidth is cheap, the AS3 version is considerably smaller. And next time it wont take me nearly as long as this time to put the AS3 example together. So what does this mean? Next time I need to put together an application or even a portion of the application, i will put serious consideration into wether or not I need the full mxml stack. Something I never really considered in the past.

If you want to check out my final code you can see it in my public svn repository here:

http://svn.simb.net/public/dropshadow/trunk/project/src/

I started using Freshbooks to do client invoicing and time tracking and have been very happy. When I saw they had an API to allow you to interact with their system I was very excited. Not because I need that, but because its an option. I started kicking around the API documentation and realized that they had library implementations for the FreshBooks API in ruby and perl and php, but none for actionscript. My first thought was how nice it would be to build and AIR application to do my data intake.

So I started a writing the FreshBooks API as an AS3 library. Its totally and miserably incomplete. In fact the only thing it can do right now is actually get your list of clients. Totally worthless. But what I have done is set up the framework for the additional libraries and the authentication stuff. Which not really a small achievement. I dont need this code, I was just playing around. So i wanted to get this post up in case some one out there was searching for such and thing and wanted to contribute to the code, or take over what I started.

What I have is posted in my public svn repository here:

http://svn.simb.net/public/freshbooks/api/trunk/

A quick code snippet to show you what you can do with this might look like this.

var fa:FreshBooks = new FreshBooks('https://YourUrl.freshbooks.com/api/xml-in','your-freshbooks-api-key');
var fc:ClientService = fa.getClientService();
fc.addEventListener(FreshBooksEvent.CLIENT_LIST, getClients);
fc.list();

private function getClients(event:FreshBooksEvent):void{
	clients = event.data as ArrayCollection;
}

The data property of the event class is an arraycollection of Client objects. So strong typing and happy days continue.

Let me know if this is useful for anyone. When i get done with the project I am working on I will likely continue building out the library. If you want to help, just let me know

I would like to think I am pretty good with the tools that make up the Flash platform. If you wanna talk Flex or AS3 I am your man. But I have come to realize that my flash skills are not up to par. Now what I mean by that is that if you take away my mx.* packages, I am a worthless little crybaby.

So my goal for the year 2008 is to become much more familiar with the tool set available in flash, but outside of my flex tool set. As such I took polygeeks drop shadow example and implemented it in just as3. I plan to do a bunch more of this stuff and playing with the drawing API. I also want to play with HaXe and look at Neko as a server side platform.

So stay tuned for any insights that I may have with regards to using AS3 without flex.