« Appdev business models | Main | Downloads vs installs vs users »
March 10, 2008
Got connections? Check 'em!
Got connections? Check 'em! If you use Adobe Flash Player to communicate with various servers, then you need to read this linked document now. Next month Adobe Flash Player will be tightening down on new varieties of server-identification fraud. Some existing realworld projects will break when run within the tighter security sandbox. You need to be in a position, now, where you know what is going to change: (a) All socket connections will now require a policy file on the server, stating that the server explicitly permits such connections. (b) A serverside policy file is also required to allow the Player to send arbitrary HTTP headers. (c) If old SWF and its HTML come from different domains, then the HTML must explicitly consent via "allowScriptAcceess" -- new files work this way, but SWF7 and below will be upgraded to match. (d) "javascript:" pseudo-URLs will only be executed in ActionScript's getUrl() and navigateToUrl(). The general theme in the above is that each machine involved in a communication must give explicit permission to engage in such conversations with applications hosted within Adobe Flash Player. Resetting defaults is a hard task, but in today's new security environment, it must be done. Please do give a few minutes to the article, and spread the word if you can, thanks!
Posted by JohnDowdell at March 10, 2008 09:21 PM
Trackback Pings
TrackBack URL for this entry:
http://weblogs.macromedia.com/mtadmin/mt-tb.cgi/9302
Comments
NB: Apologies in advance if I summarized any of the details incorrectly; please do go through the longer document for best information. For even more information on some of these subjects, see Deneb Meketa's article on Player 9 security changes, which advised of this newest set of policy-file requirements.
(When I read "What may be impacted?" I usually think a tooth or a colon, so I tried to summarize the changes in conversational English here.)
Posted by: John Dowdell at March 10, 2008 10:02 PM
Update: As I got a few pages further back in the aggregator, I see Emmy and Justin also gave single-screen summaries of the affected areas. Read them first; they've been thinking about this release longer than I have. ;-)
Posted by: John Dowdell at March 10, 2008 10:27 PM
It really steams me that Macromedia/Adobe never had the foresight to implement these things and now we all have to spend countless hours fixing dozens of sites to comply with their non-backwards-compatible "fixes." We're a small shop. We don't have tons of manpower to do this junk all the time. We recently had to change all of our sites to comply with the AllowScriptAccess snafu, now this. I have to say I'm chapped, but we're over a barrel. I wish there was some real competition to Flash. I'd be gone in a heartbeat.
[jd sez: It's a fair reaction, but I'm not sure how well-founded it is. All of these browser/network interactions were safe two years ago, but recently hackers have invested in finding ways to cross domain requests within a browser by ferrying messages via plugin. If you've got existing sites whose page contents cross domains, then we need to make communication permissions explicit now, sorry.]
Posted by: krees at March 11, 2008 09:58 AM