new Flash Player (v115) Breaking getURL?
KevinEleven
BWolfe [ADOBE]
This technote is being updated accordingly and I expect it to be live tomorrow.
"Links from SWF in HTML page no longer functional" (
http://www.adobe.com/go/50c1cf38)
The big change will be this (I"ll paste it here since it's not in the technote
yet):
Starting with Flash Player 9, getURL (or navigateToURL) calls affecting
"_self," "_parent," or "_top" were considered an interaction with the hosting
HTML page. Starting with Flash Player 9 update 3, all calls to targets other
than "_blank" are affected. This is to prevent untrusted SWF files embedded in
the HTML page from re-navigating a browser page (or a frame within that page)
without warning the user that they are now visiting a different third-party
website. It also enforces cross domain scripting restrictions across all html
frames.
To protect HTML pages from untrusted SWF files, Flash Player supports the HTML
parameter AllowScriptAccess in the<object> and <embed> tags that display Flash
content. AllowScriptAccess can have three values:
? "always": permits the SWF file to interact with the HTML page in all cases.
? "sameDomain": permits the SWF file to interact with the HTML page only when
their domains match exactly. By default, the HTML publish templates in the
Adobe Flash authoring application output HTML that
specifiesAllowScriptAccess="sameDomain", as this is frequently the desired
security behavior.
? "never": completely prevents the SWF file from interacting with the HTML
page.
Calling getURL (or navigateToURL ) now falls under the control of the
AllowScriptAccess parameter. In other words, AllowScriptAccess must either be
"always" or "sameDomain," and the domains of the HTML page and SWF file must
match exactly. Otherwise, the call to getURL (or navigateToURL) will fail.
This is a new behavior introduced in Flash Player 9 to comply with the
security model and affects all SWF versions. Adobe is aware that this may
change the behavior of some SWF media deployed before the release of Flash
Player 9, and we apologize for any inconvenience this may cause.
LHarvey79
"always" my getURL call will still fail because the HTML is on a subdomain and
my SWF is hosted on my main site?? (I have attempted this, and it's the result
that I get.)
Is there no other way to get around this? I've tried a crossdomain.xml file,
and that doesn't work. This new security patch is ridiculous if there is no
way for us to work-around this restriction without maintaining copies of our
SWFs on each domain in which we want to display it.
I'd appreciate any additional advice that can be given here.
Thanks,
Lauren
smackey75
getURL("asfunction:myFunction"); is failing to call 'myFunction' even though
AllowScriptAccess="always" is set in the HTML parameters. Is there something
I'm missing or something else that I can try?
thanks,
steve
canuckpuckhead
off a web server but does not work when running the same files locally on my
computer.
I'm scratching my head over this trying to figure out how to get the security
lifted so I can locally access my flash files properly...
saradi
since a flash player 9.0.115.0, call shall not
getURL("javascript:alert('test')")
my test case
domain a - page_a.html(frameset:page_b in the page_a [same domain] ),
page_b.html(include domain b swf)
domain b - b.swf
swf :
three buttons.
button one - getURL("javascript:alert('test')")
button two - getURL("http://www.adobe.com")
button three - getURL("/index.html")
direct call page_b.html or call page_a.html, If the call
ie6.0 en, firefox 2.0.0.11 - behavior button one, button two, button three
ie6.0 kor, ie7.0 - behavior button two
set html parameters AllowScriptAccess = "always"
How can button one, button two work?
BWolfe [ADOBE]
I replied to canuck on another thread about his local testing problem. I'll
repeat what I wrote here:
"This local problem is a different security related issue than the original
problem, and has been a change that started in Flash Player 8. this has
nothing to do with the 'allowscriptaccess' tag, which only effects SWF playing
in HTML served via a web server.
If you read livedocs:
http://livedocs.adobe.com/flash/9.0/main/00001078.html ... you'll see that
when you're in the 'local-with-filesystem' security sandbox then any call to an
HTML page is considered a network call, and will be blocked by the security
mechanism.
The workaround (for local testing) is a bit of a pain. In fact, it's easier to
just upload the HTML and the SWF and test it on the live server than to do the
workaround (which is to add your HTML it's containing folders to the Flash
Player trust locations..)"
KevinEleven
Thanks,
Lauren[/q]
Not to mention those situations where the author has no control over domain
issues : ex. - I am currently developing an app for Facebook - whose API sets
AllowScriptAccess to never. what can be done in cases like this?
BWolfe [ADOBE]
Not to mention those situations where the author has no control over domain
issues : ex. - I am currently developing an app for Facebook - whose API sets
That might require an adjustment to their API. It's another angle I have to
investigate.
LeoBent
issue caused by the 9.0.115.0.
I have a similar problem as LHarvey79, outlined in this forum post:
http://store1.adobe.com/cfusion/webforums/forum/messageview.cfm?forumid=15&catid
=194&threadid=1327061&highlight_key=y
Please respond this is causing serious problems for our customers !!!
rs99
Replacing Flash release 115 with release 47 cures the fault.
LeoBent
reply from a Adobe Support Engineer.
As i stated before this subdomain /HTML frames/getUrl issue is causing
problems on IE with 9.0.115.0, but everything is working fine on firefox with
9.0.115.0.
It's absolutely unacceptable that we have to refactor our customer's site in
order to get it working in IE, just because of an flash player update.
It seems like the only way possible at the moment is to suggest to our
customer's customer service to recommend a flash player downgrade to users.
sdm_allen
r115 has created a failure of the getURL calls in two evnironments that we
frequently use (note: allowScriptAccess is set to 'always'):
1) Running HTML documents locally via the IE7 browser. This worked fine in the
previous version of Flash 9 (and also seemed to work in IE6).
2) Running HTML documents within our own MFC application (that encapsulates
the IE control via the CHtmlView MFC class). Previously, this application
presented an ideal environment, since it didn't fall under the normal browser
security sandbox, thus providing more flexibility and control over the content
and data I/O. But getURL fails even here.
Do these issues require new, permanent coding changes to deal with security
restrictions, or are we experiencing a bug in the latest version of the Flash
player? Having looked through much of the documentation that I could find
regarding the new security changes, I have not come across anything that
sufficiently explains why these errors are occuring (in most cases the
documentation seems to indicate that applying the "allowScriptAccess" setting
should take care of any security issues).
Any other information regarding this problem would be helpful. Thanks.
BWolfe [ADOBE]
This is specific to sdm_allen's item number 1 above. getURL("javascript:..."
) calls fail in IE7. In all my testing IE7 is the ONLY browser failing though.
My tests work find locally in IE6.
All we know so far is that it's failing. We're continuing to investigate and
will post more when we have more info. If you wish to change your code to use
externalInterface you should no longer have this problem (I'm told. Haven't
tested that yet...)
NOTE: the allowScriptAccess tag has NO EFFECT on local content (ie, content
coming from something other than domain like C:/ or file:///. I can't remember
if this is also true for content coming from http://localhost/...)
sdm_allen, I cannot address your item #2. Flash Player team does not provide
support for embedded use of the activeX control. Sorry.
WhatTheSamHill
FP9 and running on FP9 and the getURL calls just stopped working when I updated
to r115. My Flash content and HTML are on the same domain, and was all fine one
day and then not the next. We are supposed to be releasing this project to our
biggest client and have had to delay due to this issue. We had to roll back to
r47 to continue development and testing. This affects locally run files only.
When run via the internet, there is not a problem. What's going on here? Is
this going to be fixed as I don't see any mention of it in the release notes
and don't see how the tighter security of r115 would impact this.
BWolfe [ADOBE]
I've had several people test this and none of our tests fail in IE6.
At this point I've reported this to Engineering as being IE7 specific, and
we're waiting for their research. At this point we don't know what's going on
(but it doesn't appear to be an intentional change. If it was it would effect
all browsers/platforms).
It is VITAL that you open a Technical Support case and get a case #, then
provide the agent with stripped down test files that you believe will repro
this issue for us in IE6. When you have a case number report back here and
I'll check in on it's progress. Given the situation I'd recommend you do that
by phone if possible. http://www.adobe.com/support.
BWolfe [ADOBE]
That's completely separate from this thread.
Unfortunately the Flash Player web support is installation only. Which I
realize isn't always ideal.
Post your case # and I'll see if I can get somebody to take a look at it.
rs99
Can you please recommend how I can get Adobe to also take an interest in
resolving why Flash 9 release 115 causes at least three different types of
browser to crash on some sites (Mac OS X 10.5). The site in question worked
fine until release 115 came out, Reverting back to release 47 does not cause
any of the browsers to crash.
Not sure if it is related to the problem raised in this thread or not.
I have tried raising it as an issue with Tech Support but all they write back
with is 'we only can advise on installation issues' which is not particularly
helpful.
rs99
Case 173077073
Roger
tro...@gmail.com
We are seeing exactly the same problem - getURL calling javascript
is not working only on IE7 with version 9.115. (We tested Firefox,
Safari and Opera). This is a big issue for our customers. How can we
track the status of this bug? How can we find out when it has been
resolved?
LeoBent
adhishor
Thanks guys. I found my answers,
Adrian
Director http://www.goldpublicity.com
BWolfe [ADOBE]
Thanks guys. I found my answers,
NOTE: the answer at the top of this thread is incorrect. I have no way to
remove it as the answer though. Perhaps KevinEleven could...
As of today we have two open bugs specific to Flash Player 9.0.115.0 ActiveX
control and the use of getURL("javascript:...") syntax..
I will be writing a technote describing the workarounds today or tomorrow, but
I wanted to share some of my testing with the community so you can see what the
story is.
Issue one:
getURL("javascript:blah()") failing when the content is local to a drive or cd
or dvd. This is a legit bug, not a problem with FlashPlayer trust.
This post does not describe issueone , but you -can- use the source FLA's to
test issue one.
Issue two:
getURL("javascript") failing with live content if the HTML and SWF are in
separate domains. IE6 and IE7 only.
ExternalInterface has been successful as a workaround for that as well (in my
tests at least...)
At this point I cannot provide an ETA on any fixes, though I am pushing hard
for these to be addressed in the next planned update (no, i cannot tell you
when that is, sorry).
OK now for my testing.
Each test uses the same SWF setup, but the javascript and html change as
necessary. The results of ?my- testing are below each link.
All my tests are with Flash Player 9.0.115.0. As most on the thread surely
know these bugs were injected in the 9.0.115.0 development process and do not
appear in 9.0.47.0....
There are four tests in each version (top to bottom)
-- button 1: getURL
-- button 2: externalInterface passing a string via a variable, which is
caught by javascript in the HTML page
-- button 3: fscommand
-- button 4: externalInterface calling 'window.open' directly with no in-page
javascript
-- Buttons 1 through 3 (top to bottom) fire an alert, put some text into the
debug text box in the SWF and open a new window.
-- Button 4 only opens a new window, puts some text into the debug text box,
but no alert (because it?s a direct call to window.open)
Scenario 1:
HTML and SWF in same domain, no frames
The original AS2 version:
http://www.bentimagemedia.com/escalations/cs3_getURL/getURL_AS2.html
FireFox OSX ? all pass
FireFox XP ? all pass
IE6 XP ? all pass
IE7 Vista - all pass
The AS3 version:
http://www.bentimagemedia.com/escalations/cs3_getURL/getURL_AS3.html
FireFox OSX ? all pass
FireFox XP ? all pass
IE6 XP ? all pass
IE7 Vista - all pass
Scenario 2:
HTML and SWF in same domain, frameset, calls going to same frames ? this
setup has two horizontal frames with the AS2 version of the SWF in the top, the
AS3 version in the bottom.
http://www.bentimagemedia.com/escalations/cs3_getURL/frames/getURL_frames.html
FireFox OSX ? all pass
FireFox XP ? all pass
IE6 XP ? all pass
IE7 Vista - all pass
Scenario 3: (THIS IS ISSUE TWO ABOVE)
HTML and SWF on different domains, calls going to the same frames ? same
swf?s, same setup with modified HTML. The HTML lives on bentimagemedia, but
the SWF?s are embedded from supportflash.com
http://www.bentimagemedia.com/escalations/cs3_getURL/frames_crossdomain/getURL_f
rames_crossdomain.html
FireFox OSX ? all pass
FireFox XP - all pass
IE6 XP ? Button 1 getURL("javascript"...) fires function, but does not open
new window. I think this might be a known DOM bug with frames, possibly a
problem with the ID of the frameset. Needs more research.
- all other buttons pass
IE7 Vista - Button 1 getURL("javascript...) fires function, no new window
same as IE6.
-- all other buttons pass
KevinEleven
[Q][I]Originally posted by: [B][B]adhishor[/B][/B][/I]
Thanks guys. I found my answers,
NOTE: the answer at the top of this thread is incorrect. I have no way to
remove it as the answer though. Perhaps KevinEleven could...
[/q]
Done.
Good to see these issues being worked out, although it won't help me a bit on
Facebook ( who I'm positive won't change their API to allowScriptAccess as it
would open up many new issues for them ). While I can see the logic behind this
move, it seems a shame to effectively disable inter-page hyperlinking without
Javascript. This is the web, after all.
BWolfe [ADOBE]
Good to see these issues being worked out, although it won't help me a bit on
Facebook ( who I'm positive won't change their API to allowScriptAccess as it
would open up many new issues for them ). While I can see the logic behind this
move, it seems a shame to effectively disable inter-page hyperlinking without
Javascript. This is the web, after all.
Well I don't think anybody loves it. Unfortunately it had to be done to
address a very specific security exploit that arose. And it's still subject to
change, so you're welcome to send feedback to http://www.adobe.com/go/wish
BWolfe [ADOBE]
'getURL and navigateToURL issues with Flash Player 9.0.115.0 ActiveX control'
http://www.adobe.com/go/kb403072
Sisyphus and the Boulder
problem. I cannot get an html link in a dynamic text field (rendered as .html)
to work anymore. If you have 9.0.115, please humor me and try this simple
example and see if it breaks for you too: 1. Create a new .fla and put a
dynamic text field on the stage. Give it an instance name test_txt 2. Set the
text field to render as html. 3. Add an actions keyframe in the first frame
and write: test_txt.htmlText = 'You should just <a
href=\'javascript:sampleFunction()\'>click me</a>'; 4. Publish it out with an
.html page to host the .swf as well. 5. Add to the .html page: <script
type='text/javascript'> function sampleFunction() { alert('Hello World'); }
</script> 6. Open the .html file in IE7 and try clicking on the link to bring
up the alert. Does this work for anyone else? I haven't had much success with
using the asfunction protocol in links since the update either. Either case
works fine when hosted online, but not when testing locally. It shows up as a
link, but clicking on it does ABSOLUTELY NOTHING. If you get a free moment Mr.
Wolfe, I would very much appreciate your input.
BWolfe [ADOBE]
post your sample somewhere and I'll try to check it during a break and look for
related bugs and get back to you? Feel free to open a support case as well
http://www.adobe.com/support/flash
Sisyphus and the Boulder
appreciated. You will find four files in the following .zip which should
illustrate the problem: test.fla test.swf test.html readme.txt
http://tidewater.unitech1.com/div3nn/htmlLinkTest/test.zip
BWolfe [ADOBE]
appreciated. You will find four files in the following .zip which should
illustrate the problem: test.fla test.swf test.html readme.txt
appreciate that. But it would be -really- helpful if you could open a support
web case and reply back wiht the case number. That way we share the workload
and make sure that I don't personally forget to get back to this thread!
Sisyphus and the Boulder
However, I wasn't able to get the .html code to show up properly in the post (because it was actually interpretting the html).
asael2
my flash doesn?t work, I have different domains pointing to a same Php page and
a swf file inside. Button links in flash work fine for different domains in
IE(7.0.5730) but it doesn't in FFox(2.0.0.11). I have already implemented
allowSecureDomain("*"), crossdamin.xml and allowScriptAccess, but still not fix
it. I'm I missing something?, works fo IE and not for FF, should I try to look
for help with Mozilla?
In advance thanks for your guide.
[hr]
Yamid
captkeebz1
call javascript. Unfortunately our products were also built to work on IE only
(an inherited mess!). Our customers are starting to buzz angrily as they're
upgrading to the dread IE7 / flash player 9 combo. So far we're suggesting they
roll back to fp8 but obviously we are eagerly awaiting a fix to this issue.
Updating the existing code to use externalinterface is not realistic due to the
volume of our projects.
Thanks to the contributors on this thread, saved me from much hair pulling.
sfdmsy
the following getURL calls. I don't see you have any example on calling the
window name. I tried to put in a window name, ie. getURL("http://google.com",
"myWindowName"), but it brings up a _blank window. Please let me know. Thanks