Category Archives: Actionscript

Adobe Flash Player’s Security-Sandbox is very restrictive

Adobe Flash Player Security-Sandbox is very good and we have not heard any major security vulnerabilities so far. However, I think, it can be made more intelligent, I have some use-cases where I can’t do anything.

XMLSocket API is cool, since it’s inception, developers could create cool applications (multi-player games, chat-apps, presence-apps etc). XMLSocket servers (unity, swocket etc) is needed to comply with a specification in order to work with Flash Player (as a client). Since developers are using/creating custom-servers, they could control various things on server-side, f.ex: configuring right security-permissions, serving right policy-file (crossdomain.xml) etc.

With Binary Socket API, in Adobe Flash runtimes, things have changed a lot. Applications (for Adobe Flash runtimes) can now connect to servers using standard protocols (POP3, SMTP, Databases, HTTP etc). Totally cool feature which allows creation of kick-ass applications (Yahoo! Web Messenger, mySql driver etc). But Adobe Flash Player’s security-sandbox is limiting Binary Socket’s capabilities.

I have been working on a library (as3httpclient) to do more things (http-status-messages, http-authentication over GET request, support for more http-methods etc) which are not supported by URLLoader API. This library (as3httpclient) doesn’t work in deployed web-application because Adobe Flash Player’s Security-Sandbox restricts it to.

I have following questions/concerns:-

  • When URLLoader (or other such native APIs) can connect on any port, why can’t custom APIs (as3httpclient and others) connect?
  • Why can’t Flash Player be little more intelligent to check, if connection is made to a HTTP server? Rules could be:- If connection is requested to same domain and destination-port is assigned to HTTP server, let communication happen. If destination server:port is in different domain, check for valid crossdomain.xml and allow the connection?
  • Why doesn’t Flash Player consider to-ports attributes, if policy-file is served over HTTP?

With standards, we expect flexibility. We can’t expect a HTTP server to push policy-file to Flash clients? That’s not standard.

Technorati tags: , , , ,

Loading JavaScript file(s) using HTTPService/URLLoader

In my last post, I talked about JavaScript Flex 2 component that can inject Javascript code in HTML wrapper’s context. I experimented to see, if we can load Javascript files (.js) using HTTPService (or flash.net.URLLoader) in Flex2/AS3 projects and inject it.

Example Flex 2.0 code:

<mx:Application xmlns:mx="http://www.adobe.com/2006/mxml"
xmlns="com.abdulqabiz.utils.*"  width="100%" height="100%" creationComplete="onAppInit ()">
<mx:Script>
<![CDATA[
import flash.external.ExternalInterface;
import mx.events.*;
import mx.rpc.events.*;
import mx.rpc.http.HTTPService;
import com.abdulqabiz.utils.JavaScript;
private var javascript:JavaScript;
private var service:HTTPService;
private function onAppInit ():void
{
service = new HTTPService ();
service.url = "test.js";
service.useProxy = false;
service.resultFormat = "text";
service.addEventListener ("result", injectJavaScript);
service.send ();
}
private function injectJavaScript (event:ResultEvent):void
{
javascript = new JavaScript ();
javascript.source = String(event.result);
trace ("javascript injected: " + event.result);
}
private function invokeSayHelloWorld ():void
{
ExternalInterface.call ("sayHelloWorld");
}
private function invokeSaySomething (str:String):void
{
ExternalInterface.call ("saySomething", str);
}
]]>
</mx:Script>
<mx:Button label="invoke javascript saySomething () function" click="invokeSaySomething ('Hey, how are you?')"/>
<mx:Button label="invoke javascript sayHelloWorld () function" click="invokeSayHelloWorld ()"/>
</mx:Application>

Test.js used in example:

//test.js
var myName = "Abdul Qabiz";
function saySomething (str)
{
alert (str);
}
function sayHelloWorld ()
{
alert ("Hello World!");
}

You would need JavaScript.as (with proper package directory structure) and test.js (code posted above) in place to make above example to work.
I am thinking to load FABridge using this approach. I know, it’s practically of no use except keeping code and logic at one place.

JavaScript injection through ActionScript

In last post, I showed, how can we inject JavaScript using ActionScript or MXML into host HTML container/page.

One more use-cases, I can think of:

  • Request server-side script to send a JavaScript (for specific browser) as string.  Using JavaScript class, I can inject the javascript in HTML