Software, Fitness, and Gaming – Jesse Warden

Category: Flash

  • Parent SWF Security Sandbox & Zinc

    First off, wanted to report the sad news my blower’s dead; wrong mixture of gas & oil, piston’s busted or something.

    Anyway, deploying a project yesterday and doing the unthinkable, loadMovie. A parent SWF loads a child SWF after a successful login. These child SWF’s are basically applications and the shell that loads them is just a security mechinism. We’re using Zinc, and we originally we’re just compiling this “shell” natively; so the EXE would be a small exe the user’s download to their computer, but the SWF’s remain on the server that the shell actually downloads, making it easier to keep up to date without having to distribute a new EXE since the shell just logs in and downloads SWF’s.

    Anyway, during testing we kept getting security sandbox violations. I was extremely confused since Flash as a projector or SWF running on the desktop has free reign and can do anything it wants, when it wants. I figured maybe because the new Flashout (0.2.1.2) now hosts the Flash Player in a browser window, it’s bound by domain restrictions (even localhost).

    …but a Zinc projector? It’s an exe right? Guess not. Even using the option of Zinc to merely load the SWF from a remote URL instead of compiling the SWF in didn’t work; same issue.

    So, reading the docs found 2 good examples of when to use System.security.allowDomain for SWF’s loading SWF’s. Our’s was the 2nd, where a shell SWF loads other SWF’s into it, and wants to be able to interact with them; like set variables on it when it’s loaded, call methods, etc. So, we did:

    System.security.allowDomain(_parent._url);

    in the children SWF’s. You can be sure _parent’s already loaded (because the _parent loaded you), and the _url of the parent could change, but this is the exact way without hardcoding it. Works like a charm.

    Still, I’m confused what Zinc is doing, making the SWF’s act like they are in a browser. As an exe, I am not held to the security sandbox.

  • No Complete Event for Internal Content

    Both Flash & Flex have a Loader component to load content into. It’s nice in Flash because it abstracts sizing & loading code. It’s even cooler in Flex because you can bind to contentPath.

    However, if the content you are loading in Flash is an internal symbol, or embedded content in Flex (same thing), you will not get a “complete” event.

    I find this wrong since expectations are, “I load content, I get an event while it’s loading, ‘progress’, and I get an event when it is completed, ‘completed’.” However, you only get these events for external content, like external JPEG’s & SWF’s. The documentation for both Flash & Flex versions does not state anything to the contrary.

    Frankly, since this component abstracts the loading process, it should be up to the component omit events regardless of loaded content, or emit different events. This now requires the user of the component to know which content type they are loading.

    This is an important distinction, because such low level details of whether something is an internal asset are not easily determined at runtime in both Flash & Flex. The more OOP something is, the less you know about where an asset came from. Simply adding the “Embed” metatag in Flex above an asset path, and it’s internal; your code doesn’t change.

    Additionally, Flex abstracts control via binding. Since this connection is handled for you, one assumes (wrongly) that those bindings work without data inspection intervention.

    What I’ve been doing is just checking if the asset I’m loading has a prefix of “__Resources” in it; if so, it’s an internal asset in Flex, and thus I must immediately call my complete event myself. Hack.

  • Flash, Flex, & AMFPHP: RSS Reader Example

    Wanted to not only learn bindings in Flex, but see how they compared to Flash in terms of actually using them and seeing their benefits side-by-side to Flash. The fact you can bind any property to any property of a GUI component rocks the mic!

    So, since both of these RSS reader’s hit the same AMFPHP webservice, I figured I’d just upload the source so you could see how to use Flash & Flex with AMFPHP since there aren’t many examples around on using either, ecspecially for using RemoteObject with something other than Java, in this case PHP via AMFPHP without using the Flex server. Additionally, this is a simple enough example in Flex to see how the bindings work.

    You’ll have to setup AMFPHP yourself as the SWF’s are not using the Flex server as a proxy, and thus will not work unless hosted on www.jessewarden.com because of the security sandbox. Unless you spoof this, or use AMFPHP to actually forward the request (which is easy I believe), or just setup and run localhost.

    Here’s how they work:
    – Flash or Flex hits the AMFPHP gateway via Flash Remoting, and calls the getRSS1Feed method in a PHP class called RSSReader.
    – The RSSReader class’ method, getRSS1Feed takes 1 parameter, the URL to an RSS feed, and uses Magpie to parse it into a usable object. It then returns this object in the function.
    – AMFPHP sends the object back to Flash or Flex.
    – Flash or Flex then displays the RSS feeds and allows you to cycle through the blog entries.

    Needless to say, the Flex one was faster to build, and more fun!

    The Flash One

    The Flex One

    Files & Links

    Source Files

    Magpie PHP RSS Parser (his files need to be next to RSSReader.php in the AMFPHP “services” folder)

    AMFPHP

    Flex

    Flash

  • BBC Flash Components True to Their Word

    A long, long, time ago… say, the re-election of Bush (or dumbfoundedness of the mass media depending on how you look at it), a group of dev’s at the BBC mentioned they would release their component set.

    Naturally, I figured bollocks… I’ve heard that 50 billion times before from various company representatives, and the only people to deliver were EnFlash and the Bit Components. There may be more, I’m sure, but regardless I was quite surprised to see they finally did what they said they would do.

    After creating a bunch for myself over the years, I respect anyone who can pull off releasing a set to the public. Aral’s got the 4-1-1.