This article is Part 3 of 5. Please read Part 1 if you have not done so already.
In Part 2 of this series, I left off with opening the “Ultimate Tourney Guide” from the desktop but mentioned that there were security implications. This article discusses the new Acrobat 9 security model and its impact on the “Ultimate Tourney Guide” project.
Accessing External Data when Opening PDF files from the Desktop:
If the PDF file requesting the data is in the same domain as the server that is supplying the data, everything just works as you would expect. When you first opened the Ultimate Tourney Guide through the browser, this was true. But, because we wanted people to have the PDF file as a resource that sits on their desktop, we had to consider what we needed to do on the server to accommodate this. To create the “Ultimate Tourney Guide“, we used SWF applications to aggregate several RSS feeds and display the Team Videos, Headlines, Live Bracket and Polls. These applications were embedded in the PDF file using the new Rich Media Annotations.
Overview of the new Multimedia capabilities in Adobe Acrobat 9:
The new Rich Media Annotations (RMAs) in Acrobat 9 allow authors to embed video, audio, and SWF content for playback in a PDF document. Almost any multimedia format supported by the Flash Player runtime can be embedded and played back natively in a PDF document.
- Video – Using Acrobat Pro, FLV and H.264 files can be embedded or streamed for playback. Acrobat Pro Extended also provides capabilities for transcoding other video formats to FLV format.
- Audio – MP3 and AAC files can be embedded for direct playback
- Animations and Applications – SWF content can be embedded including all required resources and FlashVars
Multimedia and the new Security Model:
The Security Model for our version 9 viewers has been greatly improved to make your browsing experience more safe and secure. Embedding the Flash Player in Acrobat 9 and Reader 9 rather than relying on APIs to access the external desktop Flash Player helps us accomplish this because the PDF file and the multimedia content can be located in the same file and all the playback occurs within a single application. In this security model, the PDF file itself is considered a domain, any content that is accessed by the file that is within the file is allowed to happen without a security warning.
However, when a PDF file is opened from the desktop, any access to the web requires that a “*” crossdomain.xml policy file be on the server for Acrobat or Reader to be permitted access to the data. This is because any URL is considered an outside domain even if the PDF file was downloaded from that domain. We had to add a crossdomain.xml policy file to each URL that the PDF file needed to access.
The Technical White Paper “Security for Flash Player compatible content in Acrobat 9” describes quite a few additional security restrictions for SWFs hosted in Acrobat. For example, access to the local file system is not allowed and SharedObjects are not allowed for SWFs hosted inside Acrobat. Trying to create a shared object from a SWF in Acrobat would result in a runtime error. So, if you are a Flash or Flex developer, be sure to download and read that White Paper.