18 March 2008 ~ 14 Comments

April Flash Player Updates

Technology

Last week Adobe released the details of an update for Flash Player that will be released next month. While Flash player updates are typically nothing to be concerned with, this time may be different. If you use flash to connect to an outside source for data you need to review this document and see how you will be affected.

Customers for whom the following situations apply should read the article in detail:

  • Use of sockets or XMLSockets, regardless of the domain the SWF is connecting to
  • Use of addRequestHeader or URLRequest.requestHeaders in any network API call when sending or loading data cross-domain OR Provides access to content on remote domains as a web service provider
  • Use of SWFs that are exported for Flash Player 7 (SWF7) or below that communicate with the hosting HTML by any means
  • Use of “javascript:” through network APIs to communicate outside a SWF

Specifically the second item is important for me as I have posted about an issue regarding using HTTP Authorization headers in flash player recently. In the 9.0.115 update to flash player were some some significant changes to security model of flash, including the restriction of some previously unrestricted request headers. This change was made in response to a security bulletin but had some negative side effects for developers using HTTP Basic Auth for security on web services.

Through the improvements in the April update a solution has been provided to allow HTTP Request headers to be allowed by 3rd parties. In the same way web service providers currently must post a cross-domain-policy file at the root of the site to provide flash player access, providers can now add to that cross-domain-policy file a node which defines what hosts may pass additional headers. By supplementing the <allow-access-from domain=”*” /> policy with <allow-http-request-headers-from domain = “*” /> web service providers can again allow users to send Authorization http request headers to remote servers.

There are several other changes that will be pushed out to Flash Player in the April update. If you are an Adobe Technology Platform developer utilizing the flash player you need to give this article a read. The only downside to all this is that we will have to wait for this update to push to a significant number of users before we can count on this solution for our customers. I hope your business is in a position to help users upgrade quickly :)

Tags: , ,

14 Responses to “April Flash Player Updates”

  1. Randy Troppmann 28 May 2008 at 8:13 am Permalink

    Thanks for the info Simeon!

    I think there is a small syntax error in your post:

    should be

    - Randy

  2. Brett Adam 28 June 2008 at 7:17 am Permalink

    Sure, except where you’re trying to use HTTPService with GET which won’t pass *any* headers at all. HTTP POST works fine with the right crossdomain.xml in place, but not GET.

    What gives? Have Adobe fallen victims to knee-jerk security response rather than carefully thought out responses?

    The current situation with Flash/Flex and basic HTTP service access is a disgrace.

  3. Simeon 28 June 2008 at 7:37 am Permalink

    Hey Brett,

    It has always seemed odd to me that you can’t pass headers with a get request. But that is not anything new to these security releases.

    Their are other libs that have been created to pick up where httpservice leaves off. Maybe one of those can help you with your app.

  4. Jason 7 July 2008 at 2:50 pm Permalink

    So from what I’ve been reading, there is a version of Flash player out in the wild that support no Authentication: header, even with a proper crossdomain.xml. Is this true?

  5. Simeon 7 July 2008 at 3:30 pm Permalink

    Yeah you got it jason. the Flash player 9.0.115 had no way to pass a header called authorize. Depending on your setup you could use another header that is not restricted and then use mod_rewrite on the serverside to move things along.

    Or just force your uses into the new flash player which can use them again when the crossdomain.xml file setup correctly.

  6. brett 7 August 2008 at 3:50 pm Permalink

    Hey Simeon,

    Excellent informative posts on this topic. I’m pretty new to Flex and have quickly run into this issue needing to call a web-service outside of my domain that needs basic auth.

    As I read the crossdomain.xml spec – it appears that the web-service location needs to host the crossdomain.xml file – not the .swf file location. While that is probably fine for owners of both domains, what if my desired web-service is Amazon S3 or some Google API that requires basic Auth. Asking Amazon or Google to list my site obviously isn’t going to happen.

    Am I mis-interpreting the spec?
    Thx,
    -Brett

  7. Simeon 8 August 2008 at 8:55 am Permalink

    Hey brett. You are exactly right. The crossdomain file goes on the server which holds the webservice. This allows them to define who can have access.

    In terms of your examples. There is a ticket in googles site to work on this. I am not where I can grab that ticket number. Amazon has been really good about their cross domain stuff. I know several flash based apps that pull resources from s3.

    Hope that helps.

  8. SiggeLund 25 August 2008 at 6:51 am Permalink

    Hey

    I was trying out your solution to the problem, using the following code snippet:

    function fetchData(url:String,credentials:String):void
    {
    var request:URLRequest = new URLRequest(url);
    request.method = URLRequestMethod.POST;
    var authHeader:URLRequestHeader = new URLRequestHeader(“Authorization”,”Basic ” + credentials);
    request.requestHeaders.push(authHeader);

    var loader:URLLoader = new URLLoader();
    loader.addEventListener(Event.COMPLETE, handleComplete);
    loader.addEventListener(IOErrorEvent.IO_ERROR, onIOError);
    loader.addEventListener(HTTPStatusEvent.HTTP_STATUS, onHttpStatus);
    loader.load(request);
    }

    I am developing in the Flash Authoring Tool (CS3).
    The XML source is at the same domain as the swf-file.
    I have added the suggested directive to the cross-domain file.

    However the line:
    request.requestHeaders.push(authHeader);

    crashes with the following message:
    ArgumentError: Error #2096: The HTTP request header Authorization cannot be set via ActionScript.

    Is this supposed to work in the later releases of Flash?

  9. H2Obrain 17 September 2008 at 1:13 am Permalink

    to SiggeLind

    this worked for me in version 124

  10. H2Obrain 17 September 2008 at 1:22 am Permalink

    OK.. now i get it :)

    http://kb.adobe.com/selfservice/viewContent.do?externalId=kb403030&sliceId=2
    (there’s a listing for every flash-player 9 release)

    Starting with Flash Player 9.0.124:

    In Flash Player 9.0.124.0 the Authorization header is no longer blocked. For more detail see “An Authorization header does not work for an HTTP request” (TechNote kb403184).

  11. Leif 1 March 2009 at 12:52 am Permalink

    @SiggeLund

    I have the same scenario and snippet as Siggelund posted above on Aug 25th.

    I have files installed in two places. These files are identical:

    1) My personal computer: Files in the same folder: crossdomain.xml, index.html, test.swf, test.fla.

    2) On the server: Files in the root directory of http://www.example.com: crossdomain.xml, index.html, test.swf

    (For utter clarity, the swf is embedded in the html.)

    Here are my 3 test setups:

    A) Flash CS3 environment – compiling and running the swf in the player alone. I get the Argument Error #2096 as discussed plenty above. I don’t see a way to control which version of the player is used when I compile the .fla. I have 9.0.124 installed, so I assume it’s using that one, and if it is, why would I still get this error?

    B) Loading index.html (from files on setup 1) in Firefox, with Flash 9.0.124 installed. This works just as expected. Couldn’t be happier.

    C) Loading http://www.example.com, in same browser, I get a security error: [SecurityErrorEvent type="securityError" bubbles=false cancelable=false eventPhase=2 text="Error #2170"]

    I’m mainly interested in knowing why C doesn’t work, but also would like to understand why A doesn’t work.

    I started to think that the site to which I’m sending my POST needs to have the cross domain policy file on THEIR server, not mine . . . but the success of test setup B rules out that thought.

    Any help is much appreciated.

    Below is my cross domain policy file:

  12. Leif 1 March 2009 at 12:58 am Permalink

    @Leif
    My xml got stripped. I’ll attempt to show my cross domain policy again (I have manually stripped the brackets)

    cross-domain-policy
    allow-access-from domain=”*” secure=”*”/
    allow-http-request-headers-from domain=”*”/
    /cross-domain-policy

  13. tom 19 September 2009 at 9:35 am Permalink

    Adobe security guys suck…they don’t understand the security problem very well… but they use their pighead to trouble the developer.


Leave a Reply

PHVsPjxsaT48c3Ryb25nPndvb19hYm91dDwvc3Ryb25nPiAtIEhpISBNeSBuYW1lIGlzIFNpbWVvbiBCYXRlbWFuIGFuZCBJIGFtIGEgd2ViIGFwcGxpY2F0aW9uIGRldmVsb3BlciBzcGVjaWFsaXppbmcgaW4gdGhlIEFkb2JlIEZsYXNoIFBsYXRmb3JtLiAgSSBhbSBhbiBBZG9iZSBDb21tdW5pdHkgUHJvZmVzc2lvbmFsIGFuZCBhbiBBZG9iZSBDZXJ0aWZpZWQgVHJhaW5lciBmb3IgRmxleCBhbmQgQUlSLiAgSSBhbSBhbHNvIHRoZSBQcmluY2lwbGUgSW5zdGlnYXRvciBmb3IgUE5XIFJhaW4gTExDIGEgUklBIGNvbnN1bHRpbmcgYW5kIG1lbnRvcmluZyBjb21wYW55LjwvbGk+PGxpPjxzdHJvbmc+d29vX2Fkc19yb3RhdGU8L3N0cm9uZz4gLSB0cnVlPC9saT48bGk+PHN0cm9uZz53b29fYWRfaW1hZ2VfMTwvc3Ryb25nPiAtIGh0dHA6Ly93d3cud29vdGhlbWVzLmNvbS9hZHMvd29vdGhlbWVzLTEyNXgxMjUtMS5naWY8L2xpPjxsaT48c3Ryb25nPndvb19hZF9pbWFnZV8yPC9zdHJvbmc+IC0gaHR0cDovL3d3dy53b290aGVtZXMuY29tL2Fkcy93b290aGVtZXMtMTI1eDEyNS0yLmdpZjwvbGk+PGxpPjxzdHJvbmc+d29vX2FkX2ltYWdlXzM8L3N0cm9uZz4gLSBodHRwOi8vd3d3Lndvb3RoZW1lcy5jb20vYWRzL3dvb3RoZW1lcy0xMjV4MTI1LTMuZ2lmPC9saT48bGk+PHN0cm9uZz53b29fYWRfaW1hZ2VfNDwvc3Ryb25nPiAtIGh0dHA6Ly93d3cud29vdGhlbWVzLmNvbS9hZHMvd29vdGhlbWVzLTEyNXgxMjUtNC5naWY8L2xpPjxsaT48c3Ryb25nPndvb19hZF90b3A8L3N0cm9uZz4gLSBmYWxzZTwvbGk+PGxpPjxzdHJvbmc+d29vX2FkX3RvcF9hZHNlbnNlPC9zdHJvbmc+IC0gPC9saT48bGk+PHN0cm9uZz53b29fYWRfdG9wX2ltYWdlPC9zdHJvbmc+IC0gaHR0cDovL3d3dy53b290aGVtZXMuY29tL2Fkcy93b290aGVtZXMtNDY4eDYwLTIuZ2lmPC9saT48bGk+PHN0cm9uZz53b29fYWRfdG9wX3VybDwvc3Ryb25nPiAtIGh0dHA6Ly93d3cud29vdGhlbWVzLmNvbTwvbGk+PGxpPjxzdHJvbmc+d29vX2FkX3VybF8xPC9zdHJvbmc+IC0gaHR0cDovL3d3dy53b290aGVtZXMuY29tPC9saT48bGk+PHN0cm9uZz53b29fYWRfdXJsXzI8L3N0cm9uZz4gLSBodHRwOi8vd3d3Lndvb3RoZW1lcy5jb208L2xpPjxsaT48c3Ryb25nPndvb19hZF91cmxfMzwvc3Ryb25nPiAtIGh0dHA6Ly93d3cud29vdGhlbWVzLmNvbTwvbGk+PGxpPjxzdHJvbmc+d29vX2FkX3VybF80PC9zdHJvbmc+IC0gaHR0cDovL3d3dy53b290aGVtZXMuY29tPC9saT48bGk+PHN0cm9uZz53b29fYWx0X3N0eWxlc2hlZXQ8L3N0cm9uZz4gLSBraGFraS5jc3M8L2xpPjxsaT48c3Ryb25nPndvb19hdXRvX2ltZzwvc3Ryb25nPiAtIGZhbHNlPC9saT48bGk+PHN0cm9uZz53b29fY2F0X21lbnU8L3N0cm9uZz4gLSBmYWxzZTwvbGk+PGxpPjxzdHJvbmc+d29vX2NvbnRlbnRfYXJjaGl2ZXM8L3N0cm9uZz4gLSBmYWxzZTwvbGk+PGxpPjxzdHJvbmc+d29vX2NvbnRlbnRfaG9tZTwvc3Ryb25nPiAtIGZhbHNlPC9saT48bGk+PHN0cm9uZz53b29fY3VzdG9tX2Nzczwvc3Ryb25nPiAtIDwvbGk+PGxpPjxzdHJvbmc+d29vX2N1c3RvbV9mYXZpY29uPC9zdHJvbmc+IC0gPC9saT48bGk+PHN0cm9uZz53b29fZmFjZWJvb2s8L3N0cm9uZz4gLSBzaW1iYXRlbWFuPC9saT48bGk+PHN0cm9uZz53b29fZmVlZGJ1cm5lcl91cmw8L3N0cm9uZz4gLSA8L2xpPjxsaT48c3Ryb25nPndvb19mb290X2NhdF9tZW51PC9zdHJvbmc+IC0gZmFsc2U8L2xpPjxsaT48c3Ryb25nPndvb19mb290X25hdl9leGNsdWRlPC9zdHJvbmc+IC0gPC9saT48bGk+PHN0cm9uZz53b29fZ29vZ2xlX2FuYWx5dGljczwvc3Ryb25nPiAtIDxzY3JpcHQgdHlwZT1cInRleHQvamF2YXNjcmlwdFwiPg0KdmFyIGdhSnNIb3N0ID0gKChcImh0dHBzOlwiID09IGRvY3VtZW50LmxvY2F0aW9uLnByb3RvY29sKSA/IFwiaHR0cHM6Ly9zc2wuXCIgOiBcImh0dHA6Ly93d3cuXCIpOw0KZG9jdW1lbnQud3JpdGUodW5lc2NhcGUoXCIlM0NzY3JpcHQgc3JjPVwnXCIgKyBnYUpzSG9zdCArIFwiZ29vZ2xlLWFuYWx5dGljcy5jb20vZ2EuanNcJyB0eXBlPVwndGV4dC9qYXZhc2NyaXB0XCclM0UlM0Mvc2NyaXB0JTNFXCIpKTsNCjwvc2NyaXB0Pg0KPHNjcmlwdCB0eXBlPVwidGV4dC9qYXZhc2NyaXB0XCI+DQp0cnkgew0KdmFyIHBhZ2VUcmFja2VyID0gX2dhdC5fZ2V0VHJhY2tlcihcIlVBLTExMTUwNTYtNFwiKTsNCnBhZ2VUcmFja2VyLl90cmFja1BhZ2V2aWV3KCk7DQp9IGNhdGNoKGVycikge308L3NjcmlwdD4NCjwhLS0gUGl3aWsgLS0+DQo8c2NyaXB0IHR5cGU9XCJ0ZXh0L2phdmFzY3JpcHRcIj4NCnZhciBwa0Jhc2VVUkwgPSAoKFwiaHR0cHM6XCIgPT0gZG9jdW1lbnQubG9jYXRpb24ucHJvdG9jb2wpID8gXCJodHRwczovL3N0YXRzLnBud3JhaW4uY29tL1wiIDogXCJodHRwOi8vc3RhdHMucG53cmFpbi5jb20vXCIpOw0KZG9jdW1lbnQud3JpdGUodW5lc2NhcGUoXCIlM0NzY3JpcHQgc3JjPVwnXCIgKyBwa0Jhc2VVUkwgKyBcInBpd2lrLmpzXCcgdHlwZT1cJ3RleHQvamF2YXNjcmlwdFwnJTNFJTNDL3NjcmlwdCUzRVwiKSk7DQo8L3NjcmlwdD48c2NyaXB0IHR5cGU9XCJ0ZXh0L2phdmFzY3JpcHRcIj4NCnRyeSB7DQp2YXIgcGl3aWtUcmFja2VyID0gUGl3aWsuZ2V0VHJhY2tlcihwa0Jhc2VVUkwgKyBcInBpd2lrLnBocFwiLCAxKTsNCnBpd2lrVHJhY2tlci50cmFja1BhZ2VWaWV3KCk7DQpwaXdpa1RyYWNrZXIuZW5hYmxlTGlua1RyYWNraW5nKCk7DQp9IGNhdGNoKCBlcnIgKSB7fQ0KPC9zY3JpcHQ+PG5vc2NyaXB0PjxwPjxpbWcgc3JjPVwiaHR0cDovL3N0YXRzLnBud3JhaW4uY29tL3Bpd2lrLnBocD9pZHNpdGU9MVwiIHN0eWxlPVwiYm9yZGVyOjBcIiBhbHQ9XCJcIiAvPjwvcD48L25vc2NyaXB0Pg0KPCEtLSBFbmQgUGl3aWsgVGFnIC0tPjwvbGk+PGxpPjxzdHJvbmc+d29vX2xvZ288L3N0cm9uZz4gLSAvYXNzZXRzL2ltYWdlcy9iZWNhdXNlSVNhaWRTby5wbmc8L2xpPjxsaT48c3Ryb25nPndvb19tYW51YWw8L3N0cm9uZz4gLSBodHRwOi8vd3d3Lndvb3RoZW1lcy5jb20vc3VwcG9ydC90aGVtZS1kb2N1bWVudGF0aW9uL21haW5zdHJlYW08L2xpPjxsaT48c3Ryb25nPndvb19uYXZfZXhjbHVkZTwvc3Ryb25nPiAtIDwvbGk+PGxpPjxzdHJvbmc+d29vX3Byb2ZpbGU8L3N0cm9uZz4gLSBodHRwOi8vaTMueXRpbWcuY29tL3ZpL3I5YWRpTU5aNEY0L2RlZmF1bHQuanBnPC9saT48bGk+PHN0cm9uZz53b29fcmVzaXplPC9zdHJvbmc+IC0gdHJ1ZTwvbGk+PGxpPjxzdHJvbmc+d29vX3Nob3J0bmFtZTwvc3Ryb25nPiAtIHdvbzwvbGk+PGxpPjxzdHJvbmc+d29vX3RoZW1lbmFtZTwvc3Ryb25nPiAtIE1haW5zdHJlYW08L2xpPjxsaT48c3Ryb25nPndvb190aHVtYl9oZWlnaHQ8L3N0cm9uZz4gLSAxMDA8L2xpPjxsaT48c3Ryb25nPndvb190aHVtYl93aWR0aDwvc3Ryb25nPiAtIDEwMDwvbGk+PGxpPjxzdHJvbmc+d29vX3R3aXR0ZXI8L3N0cm9uZz4gLSBzaW1iYXRlbWFuPC9saT48L3VsPg==