Flash Player 9 April 2008 Security Update affects me too


So here I was, thinking that the Flash Player 9 security update (version 9.0.124) wasn’t going to affect me. A silly assumption, of course—I should have tested with the beta, regardless—but since I didn’t do anything fancy with sockets or web services, I thought I would be fine.

Ha!

I missed this section: “You have SWFs that are exported for Flash Player 7 (SWF7) or earlier that communicate with the hosting HTML by any means”.

And when they say “any means,” that includes LoadVars.send(), which I am using, in a SWF that is hosted on a different subdomain than the page which contains it (petswf.bunnyherolabs.com vs bunnyherolabs.com).

Luckily, the fix was simple: I just had to add the parameter allowScriptAccess = "always" to the embed tag. Phew!

Next time I see one of these announcements, I promise I will test it, even if I don’t think it applies to me ;)

Information and Links

Join the fray by commenting, tracking what others have to say, or linking to it from your blog.

Information
April 11th, 2008
2 Responses
Feeds and Links
Comment Feed
From This Author
Del.icio.us
Digg
Technorati
Categories and Tags
Flash
Security

Other Posts
Weird query string variable behaviour (ActionScript 2)
Virtual Worlds

Write a Comment

Take a moment to comment and tell us what you think. Some basic HTML is allowed for formatting.

Reader Comments

Comment Number:
1
Written by:
Jason Lowe
Posted on:
2008 May 8 at 12:06 am

I tried your suggestion but couldn’t get it working. In my SWF I’m calling loadvars but sending the request to another IP address (ie, not were the original SWF came from)

What was your situation exactly?

Thanks!!

Comment Number:
2
Written by:
bunnyhero
Posted on:
2008 May 8 at 1:25 am

Hey Jason,

My SWF is a simple form, hosted on petswf.bunnyherolabs.com. When the user clicks on the submit button, the SWF does a LoadVars.send() to a URL on bunnyherolabs.com (different domain).

During troubleshooting, I also added crossdomain.xml files to both petswf… and bunnyherolabs.com. I didn’t remove them after I got it working, so I don’t know if it was necessary or not. Perhaps it is? Try adding a crossdomain.xml to the destination of the LoadVars.

And I just now found this article, which I wish I had read when I first encountered the problem! It shows you how to turn on “policy file logging” in the debug version of the Flash Player.