Re: [Flashcoders] AS3, BitmapData and domain security
Paul Neave wrote: On 22/07/06, John Dowdell [EMAIL PROTECTED] wrote: If the foreign data acknowledges you (via a policy declaration on their server), or if your own server proxies that data yourself, then the ability to get inside that bitmap data is available. I don't see the point of restricting access to BitmapData from another server when all you have to do to get at it is use a proxy script on your own server. True, for most cases. But as Bernard pointed out, the Player can run behind someone else's firewall, and is able to access servers not available to your server in the open WWW. That's a lot of the reason for Player security issues: it runs in private places, where your server cannot. That's why the data server must acknowledge that they accept such requests. jd -- John Dowdell . Adobe Developer Support . San Francisco CA USA Weblog: http://weblogs.macromedia.com/jd Aggregator: http://weblogs.macromedia.com/mxna Technotes: http://www.macromedia.com/support/ Spam killed my private email -- public record is best, thanks. ___ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com
Re: [Flashcoders] AS3, BitmapData and domain security
I don't see the point of restricting access to BitmapData from another server when all you have to do to get at it is use a proxy script on your own server. Here's an example: http://www.neave.com/temp/proxy.php?proxy_url=http://www.google.com/ intl/en/images/logo.gif I was doing something similar in Director a few years ago and ended up having to rename my php script to proxy.jpg and editing my .htaccess file for that directory to execute a .jpg as a php script (using AddHandler, IIRC). Perhaps this is Flash's issue as well... Alan ___ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com
Re: [Flashcoders] AS3, BitmapData and domain security
Thanks jd. On 22/07/06, John Dowdell [EMAIL PROTECTED] wrote: If the foreign data acknowledges you (via a policy declaration on their server), or if your own server proxies that data yourself, then the ability to get inside that bitmap data is available. I don't see the point of restricting access to BitmapData from another server when all you have to do to get at it is use a proxy script on your own server. Here's an example: http://www.neave.com/temp/proxy.php?proxy_url=http://www.google.com/intl/en/images/logo.gif The image looks as though it's coming from my server but it's actually coming from a domain I don't have server-side access to. So from Flash's point of view, there's no security risk. In AS3: var request:URLRequest = new URLRequest(http://www.google.com/intl/en/images/logo.gif;); var loader:Loader = new Loader(); loader.load(request); addChild(loader); would work fine, but I can't use BitmapData methods on the image. If I replace the URL with the proxied one above, I'd be able to use BitmapData without any problem. As far as I can see, any potential hacker could use a proxy script like this so I don't see what security benefit there is apart from just annoying developers! I'm now left with two options: 1) either proxy the image so I can access BitmapData (which costs me bandwidth and is much slower than direct access, especially if you're accessing many images at once) or 2) don't use BitmapData and put up with having the images pixelated when scaled or rotated. Either way it doesn't make me happy :( Paul. ___ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com
Re: [Flashcoders] AS3, BitmapData and domain security
I am not sure this is relevant to the discussion but: Your proxy trick will not work to access resources from local machines within a client's NAT. The flash player could potentially access those since it is already located behind the NAT. What I mean is that the flash player might have network access to some non-internet-public stuff. B. 2006/7/22, Paul Neave [EMAIL PROTECTED]: Thanks jd. On 22/07/06, John Dowdell [EMAIL PROTECTED] wrote: If the foreign data acknowledges you (via a policy declaration on their server), or if your own server proxies that data yourself, then the ability to get inside that bitmap data is available. I don't see the point of restricting access to BitmapData from another server when all you have to do to get at it is use a proxy script on your own server. Here's an example: http://www.neave.com/temp/proxy.php?proxy_url=http://www.google.com/intl/en/images/logo.gif The image looks as though it's coming from my server but it's actually coming from a domain I don't have server-side access to. So from Flash's point of view, there's no security risk. In AS3: var request:URLRequest = new URLRequest(http://www.google.com/intl/en/images/logo.gif;); var loader:Loader = new Loader(); loader.load(request); addChild(loader); would work fine, but I can't use BitmapData methods on the image. If I replace the URL with the proxied one above, I'd be able to use BitmapData without any problem. As far as I can see, any potential hacker could use a proxy script like this so I don't see what security benefit there is apart from just annoying developers! I'm now left with two options: 1) either proxy the image so I can access BitmapData (which costs me bandwidth and is much slower than direct access, especially if you're accessing many images at once) or 2) don't use BitmapData and put up with having the images pixelated when scaled or rotated. Either way it doesn't make me happy :( Paul. ___ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com ___ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com
RE: [Flashcoders] AS3, BitmapData and domain security
Paul, I believe the policy file being referred to is the crossdomain.xml file. Here's a technote for you on the subject, in case you're not familiar: http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=tn_14213. After you get up to speed on cross-domain policy files, you'll want to check out http://livedocs.macromedia.com/labs/as3preview/langref/index.html?flash/syst em/LoaderContext.htmlflash/system/class-list.html I think the following excerpts pertains to your question: When loading images (JPEG, GIF, or PNG) instead of SWF files, there is no need to specify a SecurityDomain or an application domain, because those concepts are meaningful only for SWF files. Instead, you have only one decision to make: do you need programmatic access to the pixels of the loaded image? If so, see the checkPolicyFile property. From the checkPolicyFile documentation: Set this flag to true when you are loading an image (JPEG, GIF, or PNG) from outside the calling SWF file's own domain, and you expect to need access to the content of that image from ActionScript. Examples of accessing image content include referencing the Loader.content property to obtain a Bitmap object, and calling the BitmapData.draw() method to obtain a copy of the loaded image's pixels Hope that helps! -tom -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Neave Sent: Friday, July 21, 2006 9:06 AM To: Flashcoders Subject: [Flashcoders] AS3, BitmapData and domain security Hi group, I've only just discovered that in Flash 8 you can't .draw() a loaded image into a BitmapData object if the image was loaded from another domain. I've search about and found you can .draw() a SWF which uses System.security.allowDomain but there's no way to .draw() an image JPG, GIF, PNG etc when loaded across domains. This is very annoying, but apparently ...this will be fixed in FP9; you will be able to use policy files to permit such things. said Deneb Meketa: http://www.kaourantin.net/2005/12/dynamically-loading-bitmaps-with.html Can someone explain how to use the policy file to permit .draw()ing cross-domain in AS3/FP9? Thanks buckets, Paul. ___ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com ___ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com
Re: [Flashcoders] AS3, BitmapData and domain security
Thanks a lot Tom, that was just what I was looking for. It looks like in Flash Player 9, if you want to load *and* manipulate an image (or even a sound) from another domain you have to be able to have access to that domain and be able to put a crossdomain policy file on that server. The weird thing is that you can load an image from any server without the need for a crossdomain policy file, but you can't use BitmapData.draw() unless you have a policy file. Also, you can load an mp3 from any other server but you can't access the mp3's id3 information without a policy file on the other server. What madness is this!? What's the reasoning behind this? Surely it can't be to do with potential 'hackers' because to get around the problem you only have to create a proxy script: http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=50c96388 which any potential hacker would be able to knock up in no time. But for developers, having to create a proxy script means the data has to be redirected via your server and you have to pay for the bandwidth that uses up. I really don't understand why Flash 8 and 9 have this security feature as I don't see what extra security it provides apart from annoying developers. Paul. On 21/07/06, Tom Lee [EMAIL PROTECTED] wrote: Paul, I believe the policy file being referred to is the crossdomain.xml file. Here's a technote for you on the subject, in case you're not familiar: http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=tn_14213. After you get up to speed on cross-domain policy files, you'll want to check out http://livedocs.macromedia.com/labs/as3preview/langref/index.html?flash/syst em/LoaderContext.htmlflash/system/class-list.html I think the following excerpts pertains to your question: When loading images (JPEG, GIF, or PNG) instead of SWF files, there is no need to specify a SecurityDomain or an application domain, because those concepts are meaningful only for SWF files. Instead, you have only one decision to make: do you need programmatic access to the pixels of the loaded image? If so, see the checkPolicyFile property. From the checkPolicyFile documentation: Set this flag to true when you are loading an image (JPEG, GIF, or PNG) from outside the calling SWF file's own domain, and you expect to need access to the content of that image from ActionScript. Examples of accessing image content include referencing the Loader.content property to obtain a Bitmap object, and calling the BitmapData.draw() method to obtain a copy of the loaded image's pixels Hope that helps! -tom -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Neave Sent: Friday, July 21, 2006 9:06 AM To: Flashcoders Subject: [Flashcoders] AS3, BitmapData and domain security Hi group, I've only just discovered that in Flash 8 you can't .draw() a loaded image into a BitmapData object if the image was loaded from another domain. I've search about and found you can .draw() a SWF which uses System.security.allowDomain but there's no way to .draw() an image JPG, GIF, PNG etc when loaded across domains. This is very annoying, but apparently ...this will be fixed in FP9; you will be able to use policy files to permit such things. said Deneb Meketa: http://www.kaourantin.net/2005/12/dynamically-loading-bitmaps-with.html Can someone explain how to use the policy file to permit .draw()ing cross-domain in AS3/FP9? Thanks buckets, Paul. ___ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com ___ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com ___ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com
RE: [Flashcoders] AS3, BitmapData and domain security
I'll admit it's counter-intuitive to me too... Flash Player's approach to security always has been peculiar from my point of view. I would welcome more transparency on the reasoning behind the security decisions being made. It would make it a lot easier for me to sell Flash Platform solutions if I had a ready answer to questions like what's up with crossdomain.xml?. Every non-Flash developer I've worked with has been baffled by it. That said, the Player team is trying to satisfy a wide variety of concerns which I would never think of. Generally speaking, I think that cross-domain policy files are meant to restrict the Flash Player's capabilities, and nothing more. Flash Player can't be responsible for all tiers of network security, only itself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Neave Sent: Friday, July 21, 2006 2:47 PM To: Flashcoders mailing list Subject: Re: [Flashcoders] AS3, BitmapData and domain security Thanks a lot Tom, that was just what I was looking for. It looks like in Flash Player 9, if you want to load *and* manipulate an image (or even a sound) from another domain you have to be able to have access to that domain and be able to put a crossdomain policy file on that server. The weird thing is that you can load an image from any server without the need for a crossdomain policy file, but you can't use BitmapData.draw() unless you have a policy file. Also, you can load an mp3 from any other server but you can't access the mp3's id3 information without a policy file on the other server. What madness is this!? What's the reasoning behind this? Surely it can't be to do with potential 'hackers' because to get around the problem you only have to create a proxy script: http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=50c96388 which any potential hacker would be able to knock up in no time. But for developers, having to create a proxy script means the data has to be redirected via your server and you have to pay for the bandwidth that uses up. I really don't understand why Flash 8 and 9 have this security feature as I don't see what extra security it provides apart from annoying developers. Paul. On 21/07/06, Tom Lee [EMAIL PROTECTED] wrote: Paul, I believe the policy file being referred to is the crossdomain.xml file. Here's a technote for you on the subject, in case you're not familiar: http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=tn_14213. After you get up to speed on cross-domain policy files, you'll want to check out http://livedocs.macromedia.com/labs/as3preview/langref/index.html?flash/syst em/LoaderContext.htmlflash/system/class-list.html I think the following excerpts pertains to your question: When loading images (JPEG, GIF, or PNG) instead of SWF files, there is no need to specify a SecurityDomain or an application domain, because those concepts are meaningful only for SWF files. Instead, you have only one decision to make: do you need programmatic access to the pixels of the loaded image? If so, see the checkPolicyFile property. From the checkPolicyFile documentation: Set this flag to true when you are loading an image (JPEG, GIF, or PNG) from outside the calling SWF file's own domain, and you expect to need access to the content of that image from ActionScript. Examples of accessing image content include referencing the Loader.content property to obtain a Bitmap object, and calling the BitmapData.draw() method to obtain a copy of the loaded image's pixels Hope that helps! -tom -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Neave Sent: Friday, July 21, 2006 9:06 AM To: Flashcoders Subject: [Flashcoders] AS3, BitmapData and domain security Hi group, I've only just discovered that in Flash 8 you can't .draw() a loaded image into a BitmapData object if the image was loaded from another domain. I've search about and found you can .draw() a SWF which uses System.security.allowDomain but there's no way to .draw() an image JPG, GIF, PNG etc when loaded across domains. This is very annoying, but apparently ...this will be fixed in FP9; you will be able to use policy files to permit such things. said Deneb Meketa: http://www.kaourantin.net/2005/12/dynamically-loading-bitmaps-with.html Can someone explain how to use the policy file to permit .draw()ing cross-domain in AS3/FP9? Thanks buckets, Paul. ___ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com ___ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http
Re: [Flashcoders] AS3, BitmapData and domain security
What is you put the loaded image into an empty MC and then captured the BitmapData of the MC you created? Does the security traverse the MC tree checking for foreign domains? Charles P. On 7/21/06, Paul Neave [EMAIL PROTECTED] wrote: Thanks a lot Tom, that was just what I was looking for. It looks like in Flash Player 9, if you want to load *and* manipulate an image (or even a sound) from another domain you have to be able to have access to that domain and be able to put a crossdomain policy file on that server. The weird thing is that you can load an image from any server without the need for a crossdomain policy file, but you can't use BitmapData.draw() unless you have a policy file. Also, you can load an mp3 from any other server but you can't access the mp3's id3 information without a policy file on the other server. What madness is this!? What's the reasoning behind this? Surely it can't be to do with potential 'hackers' because to get around the problem you only have to create a proxy script: http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=50c96388 which any potential hacker would be able to knock up in no time. But for developers, having to create a proxy script means the data has to be redirected via your server and you have to pay for the bandwidth that uses up. I really don't understand why Flash 8 and 9 have this security feature as I don't see what extra security it provides apart from annoying developers. Paul. On 21/07/06, Tom Lee [EMAIL PROTECTED] wrote: Paul, I believe the policy file being referred to is the crossdomain.xml file. Here's a technote for you on the subject, in case you're not familiar: http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=tn_14213. After you get up to speed on cross-domain policy files, you'll want to check out http://livedocs.macromedia.com/labs/as3preview/langref/index.html?flash/syst em/LoaderContext.htmlflash/system/class-list.html I think the following excerpts pertains to your question: When loading images (JPEG, GIF, or PNG) instead of SWF files, there is no need to specify a SecurityDomain or an application domain, because those concepts are meaningful only for SWF files. Instead, you have only one decision to make: do you need programmatic access to the pixels of the loaded image? If so, see the checkPolicyFile property. From the checkPolicyFile documentation: Set this flag to true when you are loading an image (JPEG, GIF, or PNG) from outside the calling SWF file's own domain, and you expect to need access to the content of that image from ActionScript. Examples of accessing image content include referencing the Loader.content property to obtain a Bitmap object, and calling the BitmapData.draw() method to obtain a copy of the loaded image's pixels Hope that helps! -tom -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Neave Sent: Friday, July 21, 2006 9:06 AM To: Flashcoders Subject: [Flashcoders] AS3, BitmapData and domain security Hi group, I've only just discovered that in Flash 8 you can't .draw() a loaded image into a BitmapData object if the image was loaded from another domain. I've search about and found you can .draw() a SWF which uses System.security.allowDomain but there's no way to .draw() an image JPG, GIF, PNG etc when loaded across domains. This is very annoying, but apparently ...this will be fixed in FP9; you will be able to use policy files to permit such things. said Deneb Meketa: http://www.kaourantin.net/2005/12/dynamically-loading-bitmaps-with.html Can someone explain how to use the policy file to permit .draw()ing cross-domain in AS3/FP9? Thanks buckets, Paul. ___ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com ___ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com ___ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com ___ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software
Re: [Flashcoders] AS3, BitmapData and domain security
I've just tried loading the image into a nested clip but it's still doesn't work. It doesn't work in AS3 either. According to the AS3 livedocs: BitmapData.draw() Security note: The source object and (in the case of a Sprite or MovieClip object) all of its child objects must come from the same domain as the caller, or must be in a SWF file that is accessible to the caller by having called the Security.allowDomain() method. If these conditions are not met, the draw() method does not draw anything. http://livedocs.macromedia.com/flex/2/langref/flash/display/BitmapData.html#draw() Personally I think this security restriction is utterly stupid. Why on earth would you need to restrict access to an image that is *already* loaded into Flash? The biggest problem is that in AS3, once an image has been loaded it cannot have its pixels 'smoothed', so when it is scaled the pixels go jagged and aliased. There was a workaround in FP8/AS2 where you copied the image into a BitmapData object and applied the 'smooth' property, but it's now obvious you can't do this if the image is coming from a domain that you don't have access to. This impacts on pretty much every dynamic application I work on that uses images from servers such as Flickr, Google Images, map images servers etc. that you don't have server-side access to. The restriction also applies to dynamically loaded sound files. Can someone please explain the logic and benefit behind this security decision as it really is baffling me! Thanks loads, Paul. On 21/07/06, Charles Parcell [EMAIL PROTECTED] wrote: What is you put the loaded image into an empty MC and then captured the BitmapData of the MC you created? Does the security traverse the MC tree checking for foreign domains? Charles P. On 7/21/06, Paul Neave [EMAIL PROTECTED] wrote: Thanks a lot Tom, that was just what I was looking for. It looks like in Flash Player 9, if you want to load *and* manipulate an image (or even a sound) from another domain you have to be able to have access to that domain and be able to put a crossdomain policy file on that server. The weird thing is that you can load an image from any server without the need for a crossdomain policy file, but you can't use BitmapData.draw() unless you have a policy file. Also, you can load an mp3 from any other server but you can't access the mp3's id3 information without a policy file on the other server. What madness is this!? What's the reasoning behind this? Surely it can't be to do with potential 'hackers' because to get around the problem you only have to create a proxy script: http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=50c96388 which any potential hacker would be able to knock up in no time. But for developers, having to create a proxy script means the data has to be redirected via your server and you have to pay for the bandwidth that uses up. I really don't understand why Flash 8 and 9 have this security feature as I don't see what extra security it provides apart from annoying developers. Paul. On 21/07/06, Tom Lee [EMAIL PROTECTED] wrote: Paul, I believe the policy file being referred to is the crossdomain.xml file. Here's a technote for you on the subject, in case you're not familiar: http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=tn_14213. After you get up to speed on cross-domain policy files, you'll want to check out http://livedocs.macromedia.com/labs/as3preview/langref/index.html?flash/syst em/LoaderContext.htmlflash/system/class-list.html I think the following excerpts pertains to your question: When loading images (JPEG, GIF, or PNG) instead of SWF files, there is no need to specify a SecurityDomain or an application domain, because those concepts are meaningful only for SWF files. Instead, you have only one decision to make: do you need programmatic access to the pixels of the loaded image? If so, see the checkPolicyFile property. From the checkPolicyFile documentation: Set this flag to true when you are loading an image (JPEG, GIF, or PNG) from outside the calling SWF file's own domain, and you expect to need access to the content of that image from ActionScript. Examples of accessing image content include referencing the Loader.content property to obtain a Bitmap object, and calling the BitmapData.draw() method to obtain a copy of the loaded image's pixels Hope that helps! -tom -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Neave Sent: Friday, July 21, 2006 9:06 AM To: Flashcoders Subject: [Flashcoders] AS3, BitmapData and domain security Hi group, I've only just discovered that in Flash 8 you can't .draw() a loaded image into a BitmapData object if the image was loaded from another domain. I've search about and found you can .draw() a SWF which uses System.security.allowDomain but there's no way to .draw() an
