New security whitepaper for Flash Player 9 available

The updated Security Whitepaper for Flash Player 9 is now available on the Flash Player Developer Center. This whitepaper focuses on the security-related features of Flash Player, and describes both features introduced in previous players and new enhancements in Flash Player 9. With Flash Player 9, we introduced a few new security features but the basic security model is unchanged. Many of these are a result of the new ActionScript 3.0 language and AVM2.

New in Flash Player 9 (excerpt from page 12)
* The ActionScript 3.0 display list: This new architecture for working with onscreen objects provides more efficient code for checking the security restrictions for content loaded from different domains.

* Greater restriction of cross-domain visual and sound elements: New restrictions prevent (by default) SWF files from different domains inappropriately overlaying visual content in an application or from inappropriately stopping audio.

* Import loading of SWF files: When loading another SWF file, a loading SWF file can request that Flash Player check for a cross-domain policy file on the loaded file’s server, and if granted permission, the loading SWF file can access the loaded content with the same access as if it were loaded from the domain of the loading file.

* Access to sound data: ActionScript 3.0 provides greater access to the data in loaded sound (MP3) files, such as sound spectrum data. Cross-domain access to this data is controlled via cross-domain policy files.

* Better default location for cross-domain policy files: In ActionScript 3.0, the default source for a cross-domain policy file pertaining to socket connections is the same port as the socket (rather than an HTTP server).

* Restricted access to media data originating from RTMP servers: Flash Player 9 cannot access video data or sound spectrum data for media loaded from RTMP (Flash Media Server) sources, although it can display and play video and sounds loaded from these servers.

* Improved scope of permission mechanisms: Flash Player 9 provides more specific control when using the Security.allowDomain() and Security.exactSettings APIs than was available in previous versions. In Flash Player 9, using these APIs applies only to the SWF file that calls them, not to other SWF files from the same domain.

* The allowNetworking flag: A new HTML setting provides greater control of networking capabilities of SWF files.

32 Responses to New security whitepaper for Flash Player 9 available

  1. Alex says:

    Hi,does any of the above mean that (unlike with flash 8) local content can call javascript in the page holding it without the user having to go to the global settings manager (on adobe’s site)?I’m thinking mainly cd content – where you need the flash to talk to the javascript in the page holding it – the user often doesn’t have net connection so can’t set those permissions – and this crippled a lot of peoples work to date (especially people distributing learning content)Ta,Alex

  2. givré says:

    Hi,All that is great, but any news about the realease of fash 9 for linux ?

  3. emmy says:

    Alex,The Flash Player 9 security model builds on the model we implemented in v8. So the local file security sandbox and rules still apply.For content that is installed or run locally, we created the Local Content Updater tool, and you can also use trust files to set these settings on your user’s behalf as part of the install process. These details are covered in the Dev Center in the Flash Player 8 security article, and in the documentation.Useful links:http://www.adobe.com/go/1165eb90http://livedocs.macromedia.com/flash/8/main/wwhelp/wwhimpl/common/html/wwhelp.htm?context=LiveDocs_Parts&file=00001609.htmlhttp://www/devnet/flash/articles/fplayer8_security_04.htmlbest,e

  4. Alex says:

    Thanks for the reply…Sadly that means a lot of broken content still :-(The CD’s have to work standalone, no install, no net connection (it’s very common practice… the CD is intended for those without access to the web, and were made well before the new security model) – really they are just html pages with flash movies in them, and need javascript for certain bits and pieces (most learning content does!). When run from a CD they just wont work now, not unless the user decides (and is able to) set the whole CD drive as trusted in the security manager… most people (probably rightly) don’t want to assume that *everything* they ever put in their cd player is safe, so really it’s not a good option – yet without it, nada.I was hoping something had been done about this (as were a lot of people – I think franto had a huge long blog on it) – I never did see the problem with local only flash movies connecting to javascript in the page that holds them!Anyway, thanks again, looks like we still have a problem 🙁

  5. Mike says:

    Hey, whatever happened to that long-promised 8.5 player for Linux? You had some great reasons why it’s been delayed, which as I recall you listed in _February_. Well, it’s July, a lot of sites are using Flash 8, and we’re stuck fuming. An update would be extremely welcome.

  6. emmy says:

    Hi Mike,Please see my other blog posts. I have made at least two posts with Linux info since then.Best,E

  7. slugicide says:

    Posting with Linux info is no substitute for actually offering a Linux-compatible product. Don’t mean to be a troll…

  8. steph says:

    To those trolls who keep bugging Emmy about the linux player.. are you too dumb or just too lazy to actually read past the first few lines of any page?If you had bothered to read down to a few post ago on her homepage (and actually read the post instead of just the headline) then you would see that there is a whole blog jsut about the linux flash player:http://blogs.adobe.com/penguin.swf/Come on.. you are really making linux users sound stupid and petty..

  9. Mark says:

    Emily,Thanks for your blog. I was reading through documentation and I’m confused about the domain of origin. It seems like the domain of origin is the URL in the browser, and not the domain from which the flash player is initially loaded. So if my web page is a.com and I want to load a cool flash widget from b.com, it seems like this will be restricted by default. As opposed to being able to load from b.com and not have it then load additional content from c.com. Is that right? This seems unsafe because, as noted in the security whitepaper, domains can be spoofed so only HTTPS is secure, but many sites on the web just use HTTP.–Mark

  10. mehul says:

    Hi Emily,I am stucked at one problem in my project. I have used rich text editor in my mail application. It works fine on screen but when I send email using the RTE, the font in my outlook comes in big size.The font settings coming from RTE are something like size=”12″, now all HTML viewers recognise this as a big font size…Can you please help ??txmehul

  11. David Jumeau says:

    Emmy,The flash security white paper mentionsFlashPlayer.autoUpdateIs this actionscript that would prevent my flash player from updating the current flash player? It’s because the app that I am creating is enterprise wide and my client gets the autoupdate box and requests that to prevent me from displaying this. Can I do it via actionscript or via javascript?I know that using mms.cfg would do the trick on a users’ machine, but I can’t request this because it has to involve enterprise wide changes. My client’s IT department is updating to Flash 8 in September.Thx,David

  12. John Gildred says:

    We are working on a port of Mozilla to an embedded target (TV) using DirectFB as the graphics system without any X dependancies. Are you planning on having Flash 9 for Linux work without X (say using DirectFB) or just the Linux frame buffer device? We would be happy to help with integration for our build if so.

  13. Tushar says:

    Hi Emmy,I was wondering if you had any statistics, or projections based on past statistics, in terms of what you think the Flash 8 penetration will be by October 2006? Or at least what it is as of July 2006? I’m working with a team that is about to begin building a flash application – we would love to build it in Flash 8, but would need 90% market penetration by October in order to do that. Thanks.

  14. mehul says:

    Hi Emmy,I have a query here. I have completed my project in Flex 2 and its working fine in all browsers. Except in IE 7 (above and beta 2) its not showing my movie. It don’t start express install even. When I went to adobe website, it didn’t installed flash player too.I am stopped at this point on my project delivery now.Can you please guide??ThanksMehul

  15. Steve says:

    IMO Macromedia-dobe implemented the security sandbox backwards. You should have automatically created the trusts for CD-ROM drives and given instructions for IT folks who cared to lock things down further to remove it. As it is now, we have things breaking all over the place. True it is easy to fix (for those who can follow instructions), but it really gives Flash a black eye and many customers don’t get it — get it, customers don’t understand why the security settings are affecting their content, so why do it in the first place?? Some customers are giving me the impression that they will NEVER use Flash in their projects again. It baffles me why the measures were necessary in the first place. BAD move, bad decision, bad period. Does anyone at Adobe understand how this is impacting their FIRST tier paying customers (the ones who actually buy the products, not the ones who download the player for free)?? I was hoping it would be remedied in the next player version. Noone seems to have noticed the impact of the mistake…

  16. Bob says:

    Where is the Linux flash player 8 or 9? There’s no reason to create content in a proprietary format that only a couple OSs can read, no matter what security enhancements there are.

  17. senthil says:

    good

  18. hads says:

    find backward links yahoo pool games

  19. Sudhi says:

    I have one Swf file which is place on http://www.a.comWhat all I want is this SWF to play local files. ie C:\a.flvThere was no problem with Flash8 playing local files even I access http://www.a.com/a.swfBut in Flash9 local file is not playing. How can I solve this problem, I know path on local system of my users and I want to play them in my SWF which is on net.ThanksSudhi

  20. Sudhi says:

    How a remote SWF file ( downloaded from internet ) , can play a loacl FLV file in browser.ie. local file is c:\test.flvIn Flash 8 , it automatically plays local file, but in Flash 9, it is not.Please throw some light on itThanksSudhi

  21. aspar says:

    i use free flash software to create my site becouse i can’t afford flash 8 (only use dreamweaver 8; my friend bought this soft for me) and now we can’t play any movie after install flash player 9. What should we do? pls any one help us

  22. Dan Oja says:

    I’d just like to add my comment on the significance of the problems running local Flash content from the CD.That seems to have been a huge mistake on the part of Macromedia. Macromedia either doesn’t understand the importance of local content or doesn’t care.We have decided that the only safe response for us is to drop Flash from our future projects.We have one project underway that will use a mix of Flash and our propietary animation format. We have another project that is almost done that will use only our proprietary format. After that, we’ll be entirely Flash-free.Goodby Macromedia, goodby Flash problems…

  23. Crirus says:

    HelloI am having some issues with playing fvl with a custom player made by me.All works well in IE and Firefox if I am on server machine.However, Firefox refises to show image and sound if I load the page from a differnet machine.Can anyone suggest me something to troubleshoot this?Please email.thank youCristian

  24. caleb brown says:

    I have been having the same issues with playing a user’s local flv file through a browser after the release of fp9. I realize this is an addition to the security model, but is there any work around (i.e. through the settings manager) that will allow a user to allow access to their local file?Also, if there is not a workaround, is there a security error when an application tries to access a file on a user’s local disk? Currently I receive no errors when using the NetConnection.Connect method–I actually receive a NetConnection.Connect.Success status.Thank you for any further information on this.

  25. david says:

    I have the same problem, so if someone finds the solution, please let me know.thanksemail:david·xtragames.com

  26. fourberon says:

    I’m trying to make the following stuff work (do not care about the exact syntax) :toto:Sound = new Sound(“http://XXX:8080/radiolib”)toto.streaming = true;toto.start();I use : my machine : Win XP SP2 + firefox => okother machine : Win XP SP2 + IE 6 => okmy machine : Win XP SP2 + IE 7 => does’nt work.Any idea ?

  27. Sreenivas says:

    We are working on a port of Mozilla to an embedded target (TV) using DirectFB as the graphics system without any X dependancies. Are you planning on having Flash 9 for Linux work without X (say using DirectFB) or just the Linux frame buffer device?Is there any updates about this?

  28. dev_seeking_flash_alt says:

    Looks like this thread is dead, but I need to vent… Adobe’s failure to provide a USEFUL means for distribution of CD based Flash/HTML content has been a big mistake.WHY ON EARTH is the Settings Manager an ONLINE TOOL?!?!? Bad, bad, bad! Dumb, dumb, dumb! CD distribution of online training serves one purpose… to provide the training to employees who DON’T HAVE CONNECTIVITY!!!e-learning as a field is growing like mad, and Flash could own the market if not for this major miscalculation.For my part, I am preparing to retool our companies entire courseware model, and was ready to specify Flash as the central component in the technology… but if it won’t support CD distribution, then I can’t use it at all.Too bad. Adios Flash.

  29. dash riprock says:

    I absolutely and exactly echo Sreenivas comments about distributing elearning on CD and having those ridiculous security problems.Ditto for the Settings Manager being an online tool. THAT’S WHY WE SEND A CD—THE USER DOESN’T HAVE INTERNET ACCESS! ! !We are absolutely stuck trying to provide HTML/Flash training content to our employees in the field, who don’t have network access to our online HTML/Flash training.RIDICULOUS, ADOBE ! ! ! FIX IT ! ! !

  30. Dan V says:

    More about accessing local CD content -Dear Macromedia -Just in case you think people have got sick of complaining about this we havent. Its got to be the biggest problem facing a flash developer today. Why dont you even address the issue except to say ‘the sandbox remains’? What are you so scared of that you cant find a work around so that flash is functional on CD by default?There seems to be 3 option and none of them are acceptable.1) change the security settings online(WHY cant this be made possible offline???)2) add a trust file not knowing for sure the drive letter or the username in the mydocs folder3) use a projector which cant embed in an html page.Great. :-(Best option – Find an alternative to flashNot Happy – D.V.