Flash 10 Broke My Software

by coatta 12/4/2008 8:25:00 PM

We recently ran into a bug in which our Flash application failed when running on Flash 10, but worked fine on Flash 9. The failure turned out to be a security exception that was thrown when we tried to open a file browser. At first the problem seemed to be non-deterministic. There was one routine where we were opening up the file browser -- to upload a file to our server, and sometimes we would get the exception and sometimes not. It turned out the problem was not non-deterministic. Whether we got the exception depended on the precise code path by which we arrived at the point where we tried to open the file browser. And, in fact, the exception itself suggested that this was cause -- the text of the exception indicated that the file browser could only be opened in response to a user action.

Superficially, it seemed like all the code paths leading to the point where the file browser was opened were initiated by the user. This is definitely the case from the user's perspective; the file browser only opens up when you click on one of several buttons on a particular window within the application. But one of the buttons always worked and the others always failed. The crucial difference was that the buttons which caused exceptions did not call the file browser immediately. Instead, they first made a web service call in order to obtain some more information from the server. In Flash, web services calls are inherently asychronous, and the code which opened the file browser was being called in the event handler associated with getting a result back from the web service.

So, as far as Flash 10 was concerned, these code paths did not originate with a user action and therefore the call to open the file browser produced an exception.

The last thing one might wonder is why the file browser should produce an exception in these scenarios. That comes down to security. The file browser is at the boundry of the Flash sandbox. Flash applications are mostly prevented from accessing local resources on a machine -- that stops Flash applications from poking around on your machine and sending your information off to a server somewhere. But Flash does allow an application to ask the user to select a file for uploading. Since the user is in control of this activity, its considered safe. Recent click-jacking attacks have forced even tighter security though and that's probably at the root of this change in Flash 10.

And how did we fix our application? Turns out we had to add an extra dialogue box. When the result comes back from the web service call, we display a dialogue box asking the user if we can proceed. Since this dialogue box originates the user action, the subsequent call to open the file browser succeeds!


<<  June 2024  >>

View posts in large calendar


My opinions are my own, but you can borrow them if you like.

© Copyright 2024

Sign in