Tag Archives: socket

Adobe Flash Player’s Security-Sandbox is very restrictive

Adobe Flash Player Security-Sandbox is very good and we have not heard any major security vulnerabilities so far. However, I think, it can be made more intelligent, I have some use-cases where I can’t do anything.

XMLSocket API is cool, since it’s inception, developers could create cool applications (multi-player games, chat-apps, presence-apps etc). XMLSocket servers (unity, swocket etc) is needed to comply with a specification in order to work with Flash Player (as a client). Since developers are using/creating custom-servers, they could control various things on server-side, f.ex: configuring right security-permissions, serving right policy-file (crossdomain.xml) etc.

With Binary Socket API, in Adobe Flash runtimes, things have changed a lot. Applications (for Adobe Flash runtimes) can now connect to servers using standard protocols (POP3, SMTP, Databases, HTTP etc). Totally cool feature which allows creation of kick-ass applications (Yahoo! Web Messenger, mySql driver etc). But Adobe Flash Player’s security-sandbox is limiting Binary Socket’s capabilities.

I have been working on a library (as3httpclient) to do more things (http-status-messages, http-authentication over GET request, support for more http-methods etc) which are not supported by URLLoader API. This library (as3httpclient) doesn’t work in deployed web-application because Adobe Flash Player’s Security-Sandbox restricts it to.

I have following questions/concerns:-

  • When URLLoader (or other such native APIs) can connect on any port, why can’t custom APIs (as3httpclient and others) connect?
  • Why can’t Flash Player be little more intelligent to check, if connection is made to a HTTP server? Rules could be:- If connection is requested to same domain and destination-port is assigned to HTTP server, let communication happen. If destination server:port is in different domain, check for valid crossdomain.xml and allow the connection?
  • Why doesn’t Flash Player consider to-ports attributes, if policy-file is served over HTTP?

With standards, we expect flexibility. We can’t expect a HTTP server to push policy-file to Flash clients? That’s not standard.

Technorati tags: , , , ,

HTTP Authentication for HTTP/GET requests using ActionScript 3

I am working on ActionScript3 API for Bloglines services, which requires HTTP Authentication for its two of the services. I was not able to set the header of a HTTP/GET request. Macromedia Flash Player allows you set the header only for POST requests. I discussed this issues with Ted Patrick and he told me how I can us Socket to achieve the desired and he was very kind to give a me code-snippet, which got me started. Thanks Ted.

Finally, I could implement a class(HTTPURLLoader) which allows me to:

  • Add request-headers
  • Do HTTP Authentication for GET URLs
  • Handle HTTP status messages
  • Read the complete response header

It basically connects to a HTTP server on port 80(hardcoded for now) and sends an HTTP/1.0 request so that server closes the connection immediately after response. I could use HTTP/1.1 to keep connection alive and do things. But then closing connection would require some more logic, either a timeout logic if there is no activity on socket then close the connection, or find the end delimiter of response and then close. So I chose the easiest approach 🙂

I am still working on it and there is a lot(bugs-fixing, optimization, code-commenting, removing hardcoded stuff etc) to be done. I just wanted to share whatever I have done so far. I think, idea is more important than the implementation.
Anyways, I also implemented Base64 in AS3 and also OPML parser for Bloglines. I would soon upload the entire Bloglines AS3 API source.

Download the code:

View HTTPURLLoader Source and Example: