Flash Security

blackshirtblackshirt Registered Users Posts: 4 Beginner grinner
I am using PHPSmug in conjunction with Flash to create my own custom portfolio for a client. PHPSmug is used to return XML Data that the Flash then parses. It works locally in the Dev environment flawlessly. When uploaded to the site my Flash application turns up all white images, I tested this by trying to loadClip other images from various servers, non-Smugmug, and the same occured. This is some sort of Security issue in place by Flash. But with other Flash Applications for Flickr as well as NASMU there must be some way around this.

will the sandboxed parameter help me in this matter. I've tried manually placing http://api.smugmug.com/photos/*.jpg into the XML and it still returned a White Image. I know that you have a Cross-Domain XML Policy file there and have seen it so this makes me think your sandboxed parameter might not be helpful. I would like to give it a shot if you're willing to help.

Any other suggestions would be good too. Thanks.

Comments

  • beacazilbeacazil Registered Users Posts: 25 Big grins
    edited December 6, 2008
    blackshirt wrote:
    ...
    will the sandboxed parameter help me in this matter. I've tried manually placing http://api.smugmug.com/photos/*.jpg into the XML and it still returned a White Image. I know that you have a Cross-Domain XML Policy file there and have seen it so this makes me think your sandboxed parameter might not be helpful. I would like to give it a shot if you're willing to help.
    ...

    The sandbox parameter definitely helps so that the API rewrites the URLs for you. During application startup you can point the Flash application explicitly to the crossdomain.xml files instead of depening on the automatic discovery:
    ...
    // Somewhere in your startup code before you access images
    InitializeCrossDomainSettings( "api.smugmug.com", "http://api.smugmug.com/crossdomain.xml" );
    InitializeCrossDomainSettings( "photos.smugmug.com", "http://photos.smugmug.com/crossdomain.xml" );
    ...
    

    And here the code for the function.
    public function InitializeCrossDomainSettings( domain:String, file:String ):void
    {
        Security.allowDomain( domain );
        Security.loadPolicyFile( file );
    }
    

    Hope that helped.
    Jürgen
  • blackshirtblackshirt Registered Users Posts: 4 Beginner grinner
    edited December 11, 2008
    Still no luck.
    beacazil wrote:
    The sandbox parameter definitely helps so that the API rewrites the URLs for you. During application startup you can point the Flash application explicitly to the crossdomain.xml files instead of depening on the automatic discovery:
    ...
    // Somewhere in your startup code before you access images
    InitializeCrossDomainSettings( "api.smugmug.com", "http://api.smugmug.com/crossdomain.xml" );
    InitializeCrossDomainSettings( "photos.smugmug.com", "http://photos.smugmug.com/crossdomain.xml" );
    ...
    

    And here the code for the function.
    public function InitializeCrossDomainSettings( domain:String, file:String ):void
    {
        Security.allowDomain( domain );
        Security.loadPolicyFile( file );
    }
    

    Hope that helped.
    Jürgen

    Jürgen, Thanks a bunch for getting back to me.

    I inserted this into my code and ensured it was pulling the images from api.smugmug.com, but it still pulls up white images for my routine. However, what is weird is that if I make a blank movieclip and just explicitly make a call to "loadClip(smugmugphoto, blank movieclip)" it will load without a problem.

    Now what I need to work doesn't. My routine runs through arbitrary amount of XML code(created by a phpSmug script I wrote), parses the data and creates empty movie clips for each gallery found, and loads the first image in the gallery as the thumbnail. This however doesn't work and gives me white images, yet it works in my Flash CS3 environment without a hitch.

    Weird.
  • beacazilbeacazil Registered Users Posts: 25 Big grins
    edited December 11, 2008
    blackshirt wrote:

    This however doesn't work and gives me white images, yet it works in my Flash CS3 environment without a hitch.
    The development environments (we use FlexBuilder as we work exclusively in ActinScript, but the same it true for Flash CS3) have relaxed sandbox rules. So it is not surprising that something works great in the development environment. Once you deploy to a server and use non-debugger versions of FlashPlayer, all sandbox rules are enforced.

    Do you know exactly what goes wrong? Is it a sanbox violation, or does the SmugMug server refuse to serve the image? Are the images you want to access public, or are they part of a private user environments?

    You may want to make sure that the browser that executes your Flash code provides an active session id with permission to access the images when it tries to retrieve the images. That is done by the SMESS cookie.

    Who performs the login API call in your case, the PHP code on the server or the Flash code on the client?

    Jürgen
  • blackshirtblackshirt Registered Users Posts: 4 Beginner grinner
    edited December 11, 2008
    Fixed!
    beacazil wrote:
    The development environments (we use FlexBuilder as we work exclusively in ActinScript, but the same it true for Flash CS3) have relaxed sandbox rules. So it is not surprising that something works great in the development environment. Once you deploy to a server and use non-debugger versions of FlashPlayer, all sandbox rules are enforced.

    Do you know exactly what goes wrong? Is it a sanbox violation, or does the SmugMug server refuse to serve the image? Are the images you want to access public, or are they part of a private user environments?

    You may want to make sure that the browser that executes your Flash code provides an active session id with permission to access the images when it tries to retrieve the images. That is done by the SMESS cookie.

    Who performs the login API call in your case, the PHP code on the server or the Flash code on the client?

    Jürgen

    I have fixed the issue. Thank you both for your responses. I understood the security differences in the Dev environment as opposed to Network Environment.

    I was missing one line of code that was causing the problems. The cross-domain policy was definitely a factor.

    Code(snipped for briefness) before:
    InitializeCrossDomainSettings( "photos.smugmug.com", "[URL="http://photos.smugmug.com/crossdomain.xml"]http://photos.smugmug.com/crossdomain.xml[/URL]" );
    function InitializeCrossDomainSettings( domain, file )
    {
        Security.allowDomain(domain);
        Security.loadPolicyFile(file);
    }
    var newLoad:MovieClip = this.createEmptyMovieClip("artLoad" + num, this.getNextHighestDepth());
    mArray.push(newLoad);
    newLoad.createEmptyMovieClip("art",newLoad.getNextHighestDepth());
    var artLoader:MovieClipLoader = new MovieClipLoader();
    artLoader.addListener(mc);
    //Where Smugmug images are actually loaded
    artLoader.loadClip(infostruc[num].art,newLoad.art);
    

    I added the following before loading the images:
    artLoader.checkPolicyFile = true;
    

    And presto.

    Thanks guys.
Sign In or Register to comment.