Tutorials, extensions, and source files for ActionScript, Flash, and other Adobe products.


Hello New Flash Player Update, Breaker of Web Sites

Posted March 20, 2008 by senocular

If you haven't yet noticed, in April we're due for a new dot-release of the Flash Player. This update is primarily a security update which means, if you're familiar at all with security, it's likely to break existing content. And break content this update will (big time) - that is unless you developers hurry up and make the necessary changes to your content and servers!
Here is a basic run down of some of the changes.
  • The HTML parameter allowScriptAccess now defaults to sameDomain for ALL SWFs, not just SWFs published to version 8 and above (ho-hum)

  • Custom headers provided by ActionScript now require explicit permission from a cross-domain policy file in order for the request to be sent to another domain (yikes)

  • ALL socket connections (even same-domain) require socket-based policy files to successfully maintain a connection (yowza!)

The socket change is the big one. It could require socket servers to be updated if they weren't written to work with socket-based policy files.

For more information see Preparing for the Flash Player 9 April 2008 Security Update

But wait! That's not all. I can imagine most of you have not read the Security changes in Flash Player 9 article in the Adobe developer center. If you have, you may have noticed yet another cross-domain policy file change that we can expect in the future. That change involves what are known as meta-policies, or a policy for policy files. Though the introduction of meta-policies came with version 9,0,115,0 of the Flash Player (the current version at the time of this writing), what will happen in a later release of the player is that these meta-policies will become more strict and default to prevent any policy file from being valid unless your master policy file (crossdomain.xml in the root of the domain) explicitly specifies a meta-policy to determine otherwise. More information on this can be found on the page of the security article covering meta-polcies.

Since you'll already be updating your cross-domain policy files for the header change, you might as well update your master policy file with the appropriate meta-policy as well. The following example shows a very permissive (not recommended) policy file with the necessary meta-policy and header definition.
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*"/>

Please SPREAD THE WORD to your fellow developers. Don't let the wrath of this security update reach the users. That could be damaging to the reputation of the Flash Player :)