Jaslabs: High performance Software

High Performance Software

Flash 8 security hacks

July 13th, 2006 | Category: flash

By Justin Silverton

Digg This StoryI recently came across the following message when I tried to run a flash program on a client’s machine:I recently came across the following message when I tried to run a flash program on a client’s machine:flash 8 security error

I recently came across the following message when I tried to run a flash program on a client’s machine:The security dialog comes up because when you fire getURL() with Local Playback Security set to
“Access Local Files only” it sees the getURL call as a request for network resource (and pops up the
security dialog).

If you then set Local Playback Security set to “Access Network”…. Normally that would allow the
call access to the network. But the requested communication is actually between a local SWF and a
local HTML file, so it sees that as a local file accessing a local file, which is outside of what’s
allowed when LPS is set to “Access Network”. Which results in a Flash Player 8 Security Sandbox dialog .

For Developers, there are three ways to solve the above issue:

1. The end user has to use the Settings Manager to set local file security to “Always Allow” AND
they have to add the path to the file as a trusted path.
The direct path to this section of the online Settings Manager is
(http://www.macromedia.com/support/documentation/
en/flashplayer/help/s…).
The default is ‘always ask’. Change that to ‘Always Allow’.
Then add the path to your local content to the trusted locations. For example, if your content
is on a CD-ROM then you’d add the path to the CD (for example, “F:/”).

Doing these two things is essentially enabling a local Trust File. Settings manager then
writes the trust file settings for you, to the #SharedObjects (which is obfuscated so nobody can
crack it)
So that’s how you can do it if your users are internet-connected and you feel they’re savvy
enough to handle the steps.

What if your users are not internet connected? In that case you have to manually add the trust file
to one of two locations:

2. You can create a trust file in C:\Documents and Settings\\Application
Data\Macromedia\Flash Player\#Security\FlashPlayerTrust.
The name of the file can be whatever you want.
The only minimum thing in the file is one line of text that’s the path you want to trust.
Additional paths can be one per line.
Do this if you just want to set up trust for one unique user account on that machine.

3. You can create a trust file in C:\WINDOWS\system32\Macromed\Flash\FlashPlayerTrust.
This is the same trust file as step #2, but sets it for all the users on this machine.
The catch here is that you have to be an admin on the machine to create this trust file. Options #2 and #3 are obviously also available to end users who do have internet connections but
whom you might not want to direct to the Flash Player Settings Manager. 

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • DZone
  • Slashdot
  • StumbleUpon
  • Technorati

7 Comments so far

  1. Anonymous April 27th, 2006 2:15 pm

    And what do you do if you are developing CDs for use in classrooms on computers with multiple users?

  2. justin silverton April 27th, 2006 2:34 pm

    you have the fix automatically load into the users documents and settings folder (an API call in windows can get the current user’s documents and settings folder). I have already created a fix for an app and it worked with multiple users. You can also use the fix that adds to the c:windowssystem32 folder, if you can get admin access.

  3. Michael Kraus July 14th, 2006 3:09 am

    Thanx Justin for the explanations and the solutions to fix the problem. But as you describe it: The problem only occurs when trying to access external sources from a local SWF file.

    When developing software for client machines I recommend using not only the SWF Player or building an .exe projector file but using some professional tool like Flex or Screenweaver (which is at least open source). Those tools offer many features to extend your application and have access to much more than a local HTML file in your network. It’s great and for all the experienced Flash developers it’s the way to start over the desktop software development using the well known tools and languages.

    Just my 2 cents :)

  4. justin July 14th, 2006 4:17 am

    Michael,

    In my specific case, I did not have the ability to use Flex or Screenweaver (great flash tools), so I had to use the methods I described above. The application involved was specifically designed to connect to a server outside of your local network (it actually accessed an XML configuration file).

    I did not build it, I was only there to solve this issue.

  5. Eric January 16th, 2007 3:01 pm

    so this is horrible. we provide cbt for the us government and this sandbox crap has virtually destroyed our main product. we us swfs as an interface of the javascript that handles all LMS communication and navigation throughout the course. it works fine in an http enviroment but the second we burn to disk (it has to be cd deliverable)nothing works. all i want is my content to run from a disk. is there no better fix than whats listed above? government workstation security is way to high for me script a trust file addition on the end machine.

    this is flash we are talking about here…. there has to be some way to do this easily!

  6. Aravind February 22nd, 2007 3:16 am

    How to overcome this problem in Linux Environment?

  7. Buggy April 16th, 2007 11:48 am

    Eric, it seems like this is an issue with publishing to the Flash 8 player. Have you tried publishing to the Flash 7 player? At least for the CD deliverable. Don’t know if you’re using functions that require 8.

Leave a reply