New Flash 8 Player Security Whitepapers

Hot off the presses:

36 Responses to New Flash 8 Player Security Whitepapers

  1. jim says:

    I am always excited about a new flash products and this one is no doubt going to be awsome.

  2. Bob Ippolito says:

    You mean this kind of awesome?Sweet, the Flash 8 player security model breaks my content that was published for an earlier version of Flash, so I have to republish everything!

  3. D says:

    Bob’s got a point. Especially the Network access warning. It makes no sense to the end user that their application will throw out this warning and then be forced to restart. Perhaps a reason to encourage people not to upgrade?

  4. Free players to consumers must force developers to upgrade to update sites to 8??? Good business strategy! Will older Flash 4-6 items no longer play?

  5. Anonymous says:

    The internet changes rapidly and it is thanks to hackers that we have to lock all our ports, install firewalls etc.. So we cannot expect macromedia just to sit there, waiting until disasters happen.They have to make sure that Flash is safe.If that means that some sites have to be republished, that is a small price to pay and you can charge your clients for it, isn’t?Look at the bright side: I would love to republish the sites I made, it’s easy money πŸ™‚

  6. Jonathan Howe says:

    I’m having trouble sorting through the Whitepaper. How would a simple call to Javascript from a swf in an HTML page. The most common I can think of is a close window button where you get:getURL(“javascript:window.close()”);How would this be handled?I tried adding the allowScriptAccess=always parameter to the HTML file that hosts my swf, but to no avail. Flash Player 8 says that the Flash Player 7 content is attempting an illegal operation by calling javascript:window.close().Is this what the talk about needing to republish means? Would this call work if I could publish as Flash Player 7?

  7. Anonymous says:

    “Look at the bright side: I would love to republish the sites I made, it’s easy money :-)”Remind me never to hire you jefferis

  8. sam says:

    This is a VERY bad mistake on behalf of macromedia. I am busily UNINSTALLING flash player 8 as we speak. We can not even access things accross our own private network. Whats more the mothods that MM have used to deploy this security fix wreak of marketing ploys.MM will lose thousands over this. Bad timming when the AJAX, MOBILE content wars are just hotting up !

  9. Kevin Siegel says:

    We are creating Macromedia Captivate movies that use the Close Window JS. A client tells me that the script does not close their movies. Works fine on my systems and others. I suspect it’s the Flash Player 8. Any ideas?

  10. Doug says:

    Re. all the above comment, I’m given to understand that the newly created security restrictions surrounding the getURL and fscommand javascript interface do not apply when you’re dealing with content all at the same http:site providing you access the comntent via an http call.However, they do apply when you’re trying to burn your content – the same content!!- to CD ROM. We have a product that works perfectly well in Flash 7 that uses both fs command and getURL to interface with javascript in the html pages in which the swfs are placed.The content is started with a local path call to an htm page.You change the flash player over and bingo NOTHING happens. Unless of course you go to the Security Settings panel over the web and ratify your CD path as a trusted site. How am I supposed to do that for every user of my CD ROM??? Especially when they’re not likely to have internet access? Is there any way to do this with a script/automatically OR any other way to get fscommand/geturl working again for local content.Any insight with regard to this would be much appreciated.

  11. mike says:

    I’m with Doug on this – we are just finding out that *thousands* of our elearning CD’s no longer work – this is our prime business – and clients can no longer use them!Surely Macromedia must have forseen this? This is a very common use of flash – html/flash/javascript on a CD – how could you now completely cripple *all* previous output from anyone using your products before flash 8??Most of our clients would never dream of altering security settings in the way required – and most would not know where to begin. And of course the reason they bought the CD is the don’t have internet access in the first place – so how can they chnage the settings??Macromedia has recommended using javascript to communicate with flash movies for *years* – you even have integration kits! And you go on about backward compatible and testing older movies in new players to make sure they work – if not submit a bug – well then – this is a *huge* bug as non of our output works anymore – non of it!!Please tell me you have realised the *huge* mistake you have made and are working on fixing it?! I have been an advocate of flash since version 3 – it is primarily down to me that our entire companies output has been in flash for the last 6 years – so now what the hell am I meant to do??

  12. shaf cangil says:

    getURL() accessing javascript embedded in html page defunct.loadnumbersvar accessing php for registration of passwords defunctcdrom access to games defunctshared object retrieval defunct. many thanks macromedia and hackers alike.Whatever we say makes no odds. We as developers have to change and redevelope our work losing time we can never get back, money we will never make and faith in a product we were familiar with like a soft pair of slippers (bit worn around the edges and not perfect but made our lives easier and we really liked them)I sympathise with Doug as i am an e-learning developer for dyslexics but I am a one woman show that has had to start again with software that i had already promised to give away free copies of but now cant even do that.All I can do is bleat for help and that makes me sick.What happens now?

  13. sergio says:

    This is really unacceptable. I have been developing sites in html+flash with extensive use of geturl to call javascript functions. Very often the customer asks for a cdrom version of their site. Now you are telling me I can not use flash+html for cd rom development… I have been a great advocate of flash development in my company… now I feel ashamed and am so disappointed at macromedia…

  14. Mike says:

    We, the whole group, will stop using Flash because of this so called security change.

  15. GB says:

    Did any of you actually read the Flash 8 help page on getURL()?For one, the behaviour does not change when publishing Flash 7 .swf files. Did you try that? Using Flash 8, publish your original flash 7 movie as flash 7 output – getURL works fine on the Flash 8 player. There are no backward compatibility problems.Secondly, and as clearly stated in the front part of the getURL help, all you need to do is specify an HTML parameter to set the desired security settings in a *Flash 8* movie :(I paste it here)———————–Web pages that host Flash content must explicitly set the allowScriptAccess attribute to allow or deny scripting for the Flash Player from the HTML code (in the PARAM tag for Internet Explorer or the EMBED tag for Netscape Navigator):- When allowScriptAccess is “never”, outbound scripting always fails.- When allowScriptAccess is “always”, outbound scripting always succeeds.- When allowScriptAccess is “sameDomain” (supported by SWF files starting with version 8 ), outbound scripting is allowed if the SWF file is from the same domain as the hosting web page.- If allowScriptAccess is not specified by an HTML page, the default value is “sameDomain” for version 8 SWF files, and the default value is “always” for earlier version SWF files.—————————just set it to “always” … and it works fine people. cmon – get a grip.people feeling sick, ashamed, crippled and all those other extremes mentioned above … well… you should just feel a little stupid.herd mentality I guess. LOL.

  16. Anon says:

    read the above comments again, carefully GB… getURL doesn’t work when calling JSgetURL, calling a page statically, works fine… but not when calling Javascript.

  17. Niksu says:

    Hei Mike.why not give us a set of files wherecalling javascript with getURL WORKS WHENVIEWING THE PAGE LOCALLY.Before you start accusing everyone as being stupid herd people, you should give us proof that thesething you mentioned ACTUALLY WORKS.i for one have tried all the thing you succested and still no functionality. you should feed stupid…..

  18. niksu says:

    and another thing Mike, not ever the Macromedia examples of using getURL(“javascript:somefunction()”) are not working when using flash player 8 locally, i would call that a backwards compatibility is it that not even you seem to know about this, and if this really is solvable somehow, then where is the exact intructions on how to get it to work ?????????

  19. niksu says:

    To clarify the problem ….When i try to look content done with flash 2004, published as flash 7 by using flash 8 player i get this on many of our client machines. (when viewing content locally) as a dialog box… >Macromedia Flash Player has stopped a potentially unsafe operation.The following local application on your computer or network:URL OF THE FLA HERE….is trying to communicate with this Internet-enabled location:URL OF THE HTML-PAGE HERE …..To let this application communicate with the Internet, click Settings.You must restart the application after changing your settings.OK Settings buttons.Usually the client cant do anything at this stage, since they either 1. do not understand english language (you, there are other languages in the planet) 2. do not have the skills to change the settings. 3. do not have internet connection to change all the settings ?Since this is content that has never been in the flash 8 authoring environment, how can you say tha t there is no backwards compatibility issues ??I notices that when i re-installed the player just a few minutes ago, the content worked just fine.I wonder if this is a problem that has been fixed just resently, and a lot of our customers have the old default-settings on theyr players ?Information would be nice for developers, but in the macromedia fashion “there is no problems :(“- method is used.

  20. niksu says:

    it seems that those stupid comments were not made by mike, so sorry. (one with the egg in the face πŸ™‚ )But this still needs some change at least in the following versions of flash 8.To GB, you seem to be a script-kiddie so i will not waste my time anymore…..

  21. Nakke says:

    i get the same errors as niksu mentioned, it can be changed from the global settings but since that is in the internet and cannot be done in machines without internet connection, i see many problems for off-line flash courses…..

  22. phreditor says:

    I have only been looking at this for a few hours, but it doesn’t look good. The flip “herd mentality” comments of the poster above are ill-informed — nothing looks worse than telling everyone else they are stupid when you have no idea what you are talking about.1.) content built with past players now fails under 8 when run locally. This is indisputable.2.) failure occurs regqardless of whether or not the flash accesses the internet!!! Also indisputable.3.) forcing you to go to THEIR site to change settings in YOUR browser is very aggravating at a minimum, and totally unworkable for most people affected at worst. What possible reason can MM have for this absurd idea? It shows either a total misunderstanding of their user base, or a total lack of respect.Macromedia should immediately:1.) Update the player to automatically “allow” all local directories. It is absurd to require permissions to run a local application.2.) Integrate the global permissions settings thing with the player, so you can configure your computer without having to ping MM’s site.3.) Fire the short-sided designer of this absurd, expensive and inconvenient implementation.Is the attitude being exhibited here “hey, there is no alternative, so it’s their problem not ours.”This is the most ham-handed update since the Apple QuickTime fiasco of the late 90’s in which you couldn’t run QT without getting an “upgrade to Pro” ad. With the new features, it is a shame that the biggest buzz about this release is how horribly it messed everyone up. I thought Adobe bought them, not microsoft.Phreditor

  23. Anon says:

    “herd mentality I guess. LOL.”Whats with ethe arrogance, GB ?

  24. E-wreck says:

    I might be wrong, but I thinnk you need to create an installer that installs a config file in a specific location on the user’s computer.In this config file you need to enter the path of the swf file on the CD.(You need to write all the possible paths where the CD could be located on the user’s computer since on a Windows computer the drive letters for the CD Rom drive are not always the same, depending on how the system is set up.)Your installer needs to install this config file in the location that is mentioned in the link that we sent you already.Also read the information in the chapter ‘FlashPlayerTrust configuration files’ at:

  25. Mark G says:

    My flash 8 animation works perfectly in mozilla firefox but only partially displays in Internet explorer, and sometimes not at all. Any suggestions? Thanks

  26. Kevin says:

    I’ve been experiencing the same dilemma as other people on this subject (I develop e-learning applications distributed on CD-Rom).As the security measures arrived without warning (thanks macromedia) – I immediately created a ‘walkthrough’ guide for our users (Helpdesk where getting too many calls). This will not help our offline user base of course, so for our next shipment I need to work on an installer.One trick I’d already implemented was coding a quick test on an FSCommand() to set a boolean value true (if security restricts, the test variable, set with a javascript setVariable() method) – else the test remains false, in which case I have a movieclip set _visible to true (this movie clip is a simple “Flash 8 Security Restriction” graphic with an ‘Enable’ button).Anyway – I’m at the point where I can succesfully detect if our users are going to be able to run or not run local content – and at present, if they are unable to run local content, I simply use a getURL() to open an HTML walkthrough page with links to the Global Security Settings page. However, it would be much better if I could allow my detection function to launch an installer which simply writes the cfg file to the Flash Player directory(? am I correct in my thinking here).Basically, I’m a middleweight programmer finding myself very confused with the information overload in Macromedia’s Flash 8 Security white paper. Has anybody actually written an installer that does this? Can I write one in actionscript and save it as a projector EXE?Can anybody help?

  27. nate says:

    doesnt setting AllowScriptAccess to “always” allow content built with past players to play locally under player 8? It seems to be working for me.

  28. William Donelson says:

    The ONLY thing I have found to work is to write a config file to the directory …../FlashPlayerTrust/BUT if you are running from a CD-ROM, you have to include that ACTUAL STUPID DRIVE letter in the path. How are you supposed to know WHAT drive letter to use? Type in ALL 26 possibilities?

  29. William Donelson says:

    “…the user has implicitly given their trust…”Some lawyer at Macromedia/Adobe dreamed up this load of crap….…ecurity_04.htmlQuote:When an installer installs SWFs onto a user’s computer, it can install trust configuration files to designate the SWFs as trusted. While this practice does not represent an explicit user decision about each SWF being trusted, the user has implicitly given their trust to the installer program by running itβ€”it is, after all, an executable program.

  30. William Donelson says:

    [b]SOLUTION[/b]For CD-ROMs etcI have created a very flexible FlashPlayerTrust config files installer at Beta – Source Code Included

  31. Don says:

    Macromedia, you stupid wankers!All I wanted to do was link to a word document in the same directory when a button was pushed!! – but Nooooo!Assholes!

  32. Nancy says:

    I have just now encountered this whole issue. There haven’t been any postings on the CDs and the Security issue since June. Has an official fix been developed and made available yet?

  33. SteveLanders says:

    I like the forum tension.

  34. ranga says:

    my swf is published in 8.i viewing in html, on clickingthe exit btn i want to close window.i used getURl(“javascript:window.close();”);but it is not working.but it is working when swf is published in there any solution so that i can publish in 8