bunnyhero dev

Flash Player security misunderstanding

February 25th, 2007 § Comments Off on Flash Player security misunderstanding § permalink

Up until now, I had been making some incorrect assumptions about Adobe Flash Player’s security model.

I had assumed that a SWF could not access anything outside of the domain from which it had been served, in general, without special allowances made by things like crossdomain.xml or System.security.allowDomain().

What I didn’t realize is that these domain restrictions do not apply to the simple use of, say, loadMovie() to load SWFs or JPGs from other domains! It is true that, in general, one SWF cannot read or alter information from another SWF that is loaded from another domain, but simply loading and displaying is fine.

And all this time I had shelved a number of ideas that I thought weren’t possible because of cross-domain issues. Hmmm…!

For reference, here is Adobe’s white paper on the Flash Player 9 security model (PDF) and a white paper on security-related APIs for ActionScript 1.0 and 2.0 (PDF).

Scratch that

January 27th, 2007 § Comments Off on Scratch that § permalink

Serves me right for posting at 5 AM. I wrote that the embed tag couldn’t force a MIME type, but of course, it can, just like the object tag.

Nevermind!

New MySpace embed rewriting “breaks” Flash preloaders

January 26th, 2007 § 7 comments § permalink

I did a very quick test, and it does appear that the way MySpace uses the <object> tag prevents Flash preloaders from appearing as expected in Internet Explorer (tested versions 6 and 7 for Windows). This is the issue that the Flash Satay article reports on. I will attempt to explain it below, as well, and how it applies to MySpace in particular:

In normal situations, the Flash plugin or ActiveX control will start playing a Flash movie as soon as it has loaded the first frame. Flash movies often put up a progress bar that lets the user now how much longer they will have to wait for the movie to finish loading.

On MySpace, Flash movies now only show a generic graphic icon until the entire Flash movie is loaded, instead of starting immediately. This means that the Flash movie has no opportunity to display its own progress bar to indicate loading status (or to just start playing if preloading is not necessary).

Before

how it used to work This is the way it is expected to look, and how it does work in Firefox (or in IE when embed or IE’s preferred object tag is used).

After

how it looks now This is the way Flash movies look on MySpace in IE now, before they have finished loading. Obviously, this is much less attractive and gives no feedback to the user. Worse, if a movie does not require a preloader and expects to be able to stream and play its content as it loads, it is unable to do so.

If MySpace wants to rewrite embeds so drastically, I wish they would just use Geoff Stearns’ SWFObject instead. Not only would that solve the preloading problem above, but it would also fix the Eolas “click-to-active” issue that is still present when viewing user-embedded Flash movies on MySpace with IE.

Appendix

Here is the way Internet Explorer “prefers” to see the object tag, and is the way that the Flash IDE by default writes out the object tag. However, I believe it is not W3C-standards-compliant (and is also not compatible with Firefox, Safari, etc). When this form of the object tag is used, Flash preloaders work as expected:

<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0" width="320" height="200" id="objectloadingtest" align="middle"> <param name="movie" value="http://bunnyherolabs.com/misc/objectloadingtest.swf" /> ...

This is the way MySpace rewrites the object tag, and causes the preload problem. It is (I believe) W3C-standards-compliant.

<object type="application/x-shockwave-flash" data="http://bunnyherolabs.com/misc/objectloadingtest.swf" height="200" width="320" align="middle"> <param name="movie" value="http://bunnyherolabs.com/misc/objectloadingtest.swf" /> ...

MySpace changes their Flash/embed filtering again

January 18th, 2007 § 16 comments § permalink

Mashable reports on MySpace’s new <embed> tag changes. It looked like MySpace was disabling all embed tags, but it seems that they were rolling out this big change. It’s explained better in Chris Bennet’s comment to that post, which I reproduce below (I hope he doesn’t mind):

14. Chris Bennett – January 18, 2007

Before:
MySpace required embed tags to embed Flash content. The preferred method was to embed via the object tag, but that was completely stripped out by MySpace.

This morning:
MySpace began rolling out a change that would block embed tags, but allow object tags for embedded content. This caused some users to report stickers as “not working.”

This morning + n hours:
MySpace finished the change that converted a user’s embed tags to properly formatted object tags and therefore allowed.

Soon, all embedded objects on MySpace will be using object instead of embed. The previous restrictions such as “allownetworking = internal”, “allowScriptAccess = never”, “enableJSURL = false”, and “enableHREF = false” all remain. One new FlashVar I do not recognize is “saveEmbedTags = true” which is probably an internal flag to MySpace.

This is probably part of a larger, more-intelligent Flash filtering solution that would lend itself to a situation where MySpace acts as a gatekeeper to Flash stickers (as discussed).

I wrote about some of MySpace’s previous changes to embedding code in my old tech blog.

I am wondering about the possible technical implications of this change. According to Drew McLennan’s Flash Satay article, the form of the <object> tag that MySpace is using does not stream large Flash movies! To quote the article:

After testing with some largish movies, I noticed something amiss. While every other browser was getting it right, IE/Windows was not streaming—it was waiting for the entire movie to download before playing it. This is fine for small movies, but for anything serious, the lack of streaming is unacceptable.

I haven’t tested this to see if this is still true with the latest versions of IE6 and IE7. If so, this kind of sucks :( Progress bars will not work in such a world, unless everything is “satayed” as described in McLennan’s article.

I guess we shall see what other effects this might have, and what other changes MySpace might make in the near future. If the past is any indication, there will be zero official word from MySpace about this.

My first custom Flash panel

January 16th, 2007 § Comments Off on My first custom Flash panel § permalink

I ended up using a different approach to my panel, so I didn’t investigate the problem I was having in my previous post. I’m not running into the issue now, so perhaps it was just something weird with my code.

hierarchical animation panel Here’s what my panel looks like at the moment. The interface is very rough and I’m sure it would make no sense to anyone but myself. It’s a bit of a pain to use, too.

My panel does not monitor the current selection. I tried the test that I linked to in my previous post, and in Flash 8 (at least for me) it causes the IDE to go all wonky: the mouse pointer flickers and changes, and double-clicking on things on the stage doesn’t always work. The symptoms continue even after closing the panel, sometimes! How strange.

Instead, the user has to select the element and then click on the “Get” button. This loads the selection’s information into the panel. “Set” puts the information back into the currently selected element. It’s all rather awkward.

The following two buttons require some explanation. “Memorize Children Pos” takes a snapshot of the positions and orientations of all of the selected element’s “children.” The element’s children are listed in the text area above. Clicking on “Make Children Follow” repositions all of the children of the selected element so that they maintain the same relative positions and orientations as they did when “Memorize” was clicked. Yes, hierarchies of any arbitrary depth are supported, so the children of children (etc) are also moved accordingly.

I am going to continue to use this panel, and perhaps release it, and the source code, at some point. It’s all pretty rough, though, so I am a little hesitant to do so.

JSFL: persistent data not being saved with FLA document?

January 15th, 2007 § Comments Off on JSFL: persistent data not being saved with FLA document? § permalink

Now I’m having trouble with persistent data (set with element.setPersistentData()) being consistently saved when the FLA file is saved. It seems to save correctly with some elements, and not others. It could well be a problem with my code–and for all I know it’s being saved, but it’s not being retrieved properly. I’ll have to try to reduce this down to a reproducible case to see if it really is a Flash bug. Argh.

My first steps with JSFL

January 15th, 2007 § 2 comments § permalink

I’ve started playing with JSFL, which is JavaScript for the FLash IDE. More specifically, I’m creating a custom panel that I hope will make hierarchical animation easier to do on the timeline (at least the way I do it).

Unfortunately, it doesn’t really seem possible to make a panel that updates itself when the selection in the IDE changes (the way the built-in panels do), at least not elegantly or reliably. I suppose it is possible, by having the panel constantly poll the state of the selection, but that seems like a waste of resources, and at least one person out there seems to be having problems with that technique, although I haven’t tried it myself in Flash 8 (looks like the bug still existed in 7.2). I may try it that way anyway…

What I really want are events that my panel can respond to: selection changes, elements being moved, etc.

Another issue I’ve run into: when setting an element’s transformation matrix, the element moves as expected, but the transformation point doesn’t move with it! This leads to some really strange tweening unless you manually reset the transformation point (I just double-click on it with the Free Transform Tool). This will make my panel a real pain to use.

Hmmm… doing some snooping around, it looks like it is possible to change the transformation point using the document.setTransformationPoint() method. However, it only affects the selected elements, which means my code will have to select each element in order to fix it up. Rather messy, but if it works…

Widgetbox

December 24th, 2006 § Comments Off on Widgetbox § permalink

I’ve made my cyber-pets available on Widgetbox. Widgetbox is, in their words, “an online directory of web widgets for blogs and other web pages.”

From a developer’s point of view, Widgetbox is great to work with. Creating or modifying a widget to work within Widgetbox’s system is pretty easy. The multi-step process wizard is very easy to understand, and they give you a lot of options. Your widget can be HTML and hosted by Widgetbox, or you can host the widget yourself (which is what I am doing) and still have it configurable at the Widgetbox site.

From an end-user’s point of view, acquiring and configuring widgets is quite straightforward and consistent. You collect widgets on “panels,” which are groups of widgets. You can then install the panel on your blog or website.

Widgetizing the pets was a lot easier than I had expected. As a counter-example, I’ve been looking to widgetize my pets for the Windows Live Spaces platform (they call them “gadgets” over there), but it doesn’t look nearly as straightforward.

Thumbs up :)

PlayStation 3 Flash and browser info

December 21st, 2006 § Comments Off on PlayStation 3 Flash and browser info § permalink

The “About Flash” page reports that the PS3 is running Flash Player 7.0.70.0.

The User-Agent is reported as “Mozilla/5.0 (PLAYSTATION 3; 1.00)”.

For what it’s worth :)

I have not run any Javascript or rendering tests or anything like that. I should see if anyone else has already.

EDIT: Aha! Someone has, and seems to have done quite an exhaustive job of it. Very handy, bookmarking now :)

Ha ha, what happened?

December 13th, 2006 § Comments Off on Ha ha, what happened? § permalink

Yes, yet another blog founders. Or flounders. No, seriously, I do intend to keep posting! I’ve got the material, I just need to write it ;-)

And I got a PlayStation 3, so I hope to write a few notes on its browser, soon, too.

Thanks!

Asides
- I have restyled my blog again, using Andrea Mignolo's beautiful Oulipo theme. Andrea (aka pnts) is a very talented and smart web designer and developer now based in ~~Vancouver, BC~~ New York, NY.
  - #
- My crappy cellphone pictures from the on AIR Bus Tour event. The food was amazing. Check out the chocolate fountain!
  
  Also see public photos on Flickr from the event.
  - #
- Excellent post by Shannon Whitley about how Facebook is (mis-)managing their app platform.
  - #
Categories
- Asides
- Bookmarklets
- Browsers
- coComment
- Copyright
- CSS
- Facebook
- Flash
  - AIR
  - Execution order
  - Flash CS3
  - Flash CS4
  - Flash Lite
  - Flash video
  - JSFL
- Hi5
- HTML5
- iPhone
- JavaScript
- Mac OS X
- Meta
- MySpace
- Python
- Security
- Server
- Social media
- Twitter
- Uncategorized
- Video games
- Widget platforms

Before

After

Asides

Categories