adding security subsystem to ODIN

[vladest]

In order to get getURL() action script command working, Flash32 requires windows security subsystem to be implemented

[vladest]

Random function, required for security implemented (r21369) Added SCHANNEL api for security (r21373)

[dmik]

Hmm, it sounds like a possible reason of why some mouse clicks are sometimes ignored in Flash (​http://svn.ecomstation.nl/flash10/ticket/34). Needs to be checked.

However, I don't think it's a reason to delay the release of 0.8.3 though. I created a new milestone called "next" (the next planned release after the one being currently worked on) and moved it there.

[dmik]

This also may be the source of all other problems related to some Flash content not working properly, see ​http://svn.ecomstation.nl/flash10/ticket/34 for more info.

[dmik]

I couldn't find any relation to SCHANNEL and getURL() so far. Tests show that in all problematic cases SCHANNEL.DLL is not used at all (at least no request is made through Odin to load it). So I don't know what Vladest meant.

Note that there is a plugin notification, GetURLNotify() which I see in the wrapper logs and it seems to work. At least URLs appearing here do get loaded. However, I don't see this notification when buttons in non-working flash movies are clicked (like the top menu items in ​http://www.studioamotel.com.br/). So I now suspect that we don't deliver some messages (or deliver them incorrectly). In r21987 I fixed one problem I found but this apparently doesn't cure the original issue. Will continue logging and debugging.

[dmik]

I can now say that mouse press messages are surely delivered to the window where the flash plug-in does its stuff and they get consumed by the window procedure (located in the Win32 plug-in DLL). So there still must be some Javascript issue (getURL or not), i.e. the plug-in receives the mouse message but the action it triggers doesn't have any effect. The problem is that we don't have the sources of the plug-in itself and it's hard to say what action doesn't work and why (there is nothing related to it in Odin/wrapper logs at least).

I will look if it's possible to get some debug out of the plug-in DLL itself.

[dmik]

I found the special debug version of the Flash plugin used to debug contents (​http://www.adobe.com/support/flashplayer/downloads.html) but it crashes Odin. I think it's worth making it work as it may also help us in the future.

PS. This is the yesterday's comment since Trac decided I'm logged out.

[dmik]

I've worked around the crash (it seems that Odin sends WM_GETMINMAXINFO to the Flash window before it gets an opportunity to set the DWL_USER window value but Flash relies on that somehow). In the debug version of the plugin I get some more options in the context menu of the Flash window and I can also have some tracing opportunities (described here ​http://help.adobe.com/en_US/flex/using/WS2db454920e96a9e51e63e3d11c0bf69084-7fc9.html) however no matter what I try I can't get any logs out of any Flash movies (including the ones that don't work). I don't know what is the exact reason (may be they simply don't use the trace() function).

The only thing I see sometimes is runtime errors which are reported by the debug plugin in a special top-level window.

[dmik]

In particular, I get this

SecurityError: Error #2060: Security sandbox violation: ExternalInterface caller http://www.ikea.com/ms/flash/rooms_ideas/mpa2/MPA2.swf cannot access <unknown>.
	at flash.external::ExternalInterface$/_initJS()
	at flash.external::ExternalInterface$/addCallback()
	at ikea.platform::ExternalInterfaceManager/init()
	at MPA2/onInit()
	at MPA2/___MPA2_Application1_creationComplete()
	at flash.events::EventDispatcher/dispatchEventFunction()
	at flash.events::EventDispatcher/dispatchEvent()
	at mx.core::UIComponent/dispatchEvent()
	at mx.core::UIComponent/set initialized()
	at mx.managers::LayoutManager/doPhasedInstantiation()
	at Function/http://adobe.com/AS3/2006/builtin::apply()
	at mx.core::UIComponent/callLaterDispatcher2()
	at mx.core::UIComponent/callLaterDispatcher()

and

Error: Error #2134: Cannot create SharedObject.
	at flash.net::SharedObject$/getLocal()
	at ikea.platform.cookie::MpaCookieManager/get appSharedObject()
	at ikea.platform.cookie::MpaCookieManager/getCookie()
	at ikea.mpa2.control::SectionFactory/getStateModel()
	at ikea.mpa2.control::SectionFactory/getMpa()
	at ikea.mpa2.control::SectionFactory/newInstance()
	at ikea.platform.module::MpaModuleManager/addMpaToContainer()
	at ikea.platform.module::MpaModuleManager/addMpaToStage()
	at ikea.platform::PlatformImp/openModule()
	at ikea.platform::AppStartup/globalLoad()
	at flash.events::EventDispatcher/dispatchEventFunction()1251

when visiting this page: ​http://www.ikea.com/nl/nl/catalog/categories/departments/childrens_ikea/?icid=nl%3Eic%3Enavigatiebalk%3Ekinderland.

And this is the reason why the playback stops. So it indicates that there is some security problem indeed. Googling and testing.

[dmik]

Latest findings (discovered using the test and trial approach). Flash stores local security settings and shared objects in the \var\lib\odin\Application Data\Macromedia Flash Player directory. If it is unable to store or read the contents of this directory (and its subdirectories), it will cause error #2060 (and sometimes the subsequent error #2134).

On Windows, this directory (and all necessary subdirectories) gets re-created by the Flash plugin as needed. Shared objects are stored in a subdirectory #SharedObjects\NNNNNNNN\site.name, security settings -- in macromedia.com\somestuff\site.name.

On OS/2, Flash versions starting from 10.1 do not create any directories there at all (I don't even see a call to CreateDirectory? in Odin logs). Flash 10.0.x creates the directory structure but it is still unable to create NNNNNNNN in #SharedObjects? (where N is a digit or a capital letter). If I create the NNNNNNNN directory by hand (or transfer the whole Flash Player structure from the Windows machine), Flash 10.0.x starts working fine with the IKEA movie (and it stores some stuff in there). Flash 10.1 and above still doesn't work.

As far as I can judge from the logs, they changed something in Flash regarding to the code that creates the directory structure and walks it, as the sequence of API calls is completely different starting from version 10.1. There is not enough information to figure out what's wrong though. Most likely, we don't implement some functionality but nothing in the logs suggests what exactly is missing.

BTW, just a guess, for generating a NNNNNNNN file name, some rand function may be required but we may lack it and Flash fails.

Note that Flash 10.0 and the manually created directory only cure the IKEA site. The mouse clicks (​http://svn.ecomstation.nl/flash10/ticket/34) and embedded videos (​http://svn.ecomstation.nl/flash10/ticket/57) still don't work. Must be something different (but may be still related to the security). Bad that the debug version of Flash shows nothing in these cases.

[dmik]

I will try to create a test .swf and debug it from that end. I hope there is a free tool for that. If not, it may be better to postpone this problem and concentrate on other urgent tasks in other projects as I've run out of ideas here so far.

Since Flash gets more and more complicated, it gets more and more difficult to track and solve issues w/o having any access to the Flash plugin internals (sources, internal tests and so on). May be we should try to contact Adobe and ask them if they can assist us in any way. At least this is also an option.

[dmik]

Found an interesting link abut Flash security from devs: ​http://www.adobe.com/devnet/flash/articles/fplayer8_security.html. I wonder if a this is still valid for Flash 10/11.

[dmik]

Just FYI, I've checked the stuff that the ​http://osflash.org project offers (both Adobe Flash content creators and playres) and although it sounds attractive (an OSS alternative) the current state makes it useless for practical use (in particular, I tried the lightningbeam IDE and the lightspark plugin -- the IDE is really deep alpha, the plugin can't actually play anything except a few youtube videos).

[dmik]

I found these OSS tools ​http://ru.wikipedia.org/wiki/SWFTools which have the as3compile utility which can compile ActionScript? 3.0 into SWF. I'm now trying to create a simple SWF that would demonstrate our getUrl() problem.

This link ​http://tecfa.unige.ch/guides/flash/ex/ contains a bunch of .as tutorial examples.

[dmik]

I found that there is no getURL() in ActionScript? 3.0 (Flash 9 and above). Instead, navigateToURL is used. I've just made this snippet:

package
{
    import flash.display.Sprite;
    import flash.text.TextField;
    import flash.events.MouseEvent;
  	
    import flash.net.navigateToURL;
    import flash.net.URLRequest;

	public class TestGetUrl extends Sprite
	{

    var textField:TextField;
    
    public function TestGetUrl()
    {
        textField = new TextField();
      	textField.text = "Hello, world!";
	    addChild(textField);
	    addEventListener(MouseEvent.CLICK, clickHandler);
        trace("Hello, world!");
    }
    
    private function clickHandler(event:MouseEvent) : void
    {
        trace("clickHandler");
        /* getURL("http://www.ru"); */
        
        var url:String = "http://www.ru";
        var targetURL:URLRequest = new URLRequest(url);
        navigateToURL(targetURL);
    }
    
    }
}

and the resulting SWF works both on Windows and on OS/2.

This means that this ticket is completely outdated.

I feel that the problems with non-working Flash we're having are still somehow related to going to URLs but I can't see how.

[dmik]

Also, the inability of Flash to create folders and #SharedObjects? (see comment:12) may be a reason for some of the failures.

So if we find out why Flash can't (and even doesn't attempt to) create the required folders and files when run under Odin, we may resolve the original issue. I created a new Flash defect ​60 for that since the current one seems to be not relevant at all. And the original problem seems to be fixed long ago.