Work around Load Variables from other Server/host

[mikebrittain]

enemem -- I think this might be where I was slipping up with it. Once I called the SWF from my server, I couldn't get the XML to load. I have yet to double check this because once I started to use the PHP script as a proxy I didn't seem to have any trouble with it.

[enemem]

okay
saved you a lot of testing and headaches I think, just go with the PHP script

it is a bit of a pain in the arse because you can't just produce a 'standalone' flash file and distribute that, need to include the PHP as well and have PHP on the server etc. etc. oh well ;(

happy XMLing - n.

[wrench]

I am currently trying to workaround the loadvariables from the same subdomain issue without much luck. I have used base href to fool IE browsers into thinking the flash file resides within a different domain, however this does not work in Netscape (surprise, surprise).

For example:
<base href = "http://www.mydomain.com">

.......

<param name=movie value="http://www.otherdomain.com/mymovie.swf">
<embed src="http://www.otherdomain.com/mymovie.swf">

I can then use a simple loadVariablesNum ("write.asp", 0, "POST") to make Flash talk to an asp file which needs to be located at a different domain. I have tried different combinations of POST and GET without any luck. When testing the Flash and ASP from within the same domain, all is good on both browsers.

As i said, this code tricks IE but Netscape still looks in http://www.otherdomain.com for the mymovie.swf file.

Does any one know why Netscape might not be working?

[Musicman]

Hi wrench,

I think that if you use absolute url in the object/embed tags, both browsers should not use the base tag. If you had relative url, both should use it.
Now. flash movie has _url property which we expect to correctly identify whereabouts the movie came from. If you can cheat IE on that, it is probably a bug with IE (although it helps your work) but not a mistake with Netscape.

It seems you have backend in your own domain as well. I proposed redirecting before - could you try that in your environment and tell whether it works with GET or POST?
Just a simple thing that, when called as remote.asp, sends a 302 Location: <path to real asp> to browser.
If that worked, it would mean that once flash has decided to pass the request, the browser would handle the redirect. If it did not work, it would mean that flash is handling the redirect and can check the new address as well

Musicman

[wrench]

Hi Musicman, thanks for the reply,

Unfortunately your suggestion of backend in my domain won't help as I am looking to get my code to work across all platforms regardless of .asp, cgi, php capabilities on the local server.

However....

I have found a fix for my problem. Instead of using LoadVariables (which restricts access to "foreign" domains) I am using LoadMovie and calling the asp file directly into my flash movie. I am using GET (though it also worked with POST). I am only using the asp file to receive data so the method which I send it is not relevant (me thinks). I have tested this on the internet loading the swf file from one server which talks to another completely different NT server which inturn successfully writes the data I require to a database. I was chuffed when it worked, and I have tested it for Netscape 3, Netscape 4.04, Netscape 4.5, Netscape 6 and IE 5.01

Thanks for your help musicman. I am curious, are you employed by FlashKit to help punters out or are you just a jolly good soul?

Cheers Jason

[enemem]

Originally posted by wrench
I am using LoadMovie and calling the asp file directly into my flash movie. I am using GET (though it also worked with POST).

Hey wrench,

sorry - I don't quite understand what you are doing, could you maybe clarify it a little?

are doing something like loadMovie("myprog.asp") and that actually loads the variables into your Flash movie? Doesn't sound like this would work to me so I was wondering whether I misunderstood the whole thing...

sorry if I'm being a bit thick...
thanx - n.

[Musicman]

Hi wrench,

great to know that this one is working.
On the other hand it seems that this is an even bigger security hole as there could have ever been with loadvariables, so I hope MM are not going to plug it for Flash 6.
Just to talk on the security: if someone creates a malicious movie, it could send data (at least those accessible via Javascript) to some foreign address. If it is done using geturl, you would expect either some visible response or an alert that the server did not send any data. If it is done using loadvars, you would not notice. So this "security measure" protects one from nice data collection swf movies that the ad banner industry might wish to use.
The intended protection already fails because you can have the data collection server send back a HTML response to a 1-pixel frame
Now, with loadmovie, you could place a nice movie on your site (maybe as an animated banner, or just some nice movie offered for free) which really looks for variables on your main timeline and sends them without your knowing - say whenever there are variables "user" and "pass" or "password" on the main timeline, it would send _level0._url and all variables every few seconds...

Regarding your question: I am somewhat underemployed at the moment, and I am working on a fairly complex (at least for me) flash project, so I spend quite some time on these forums to see whether somebody else is touching the same problems I encounter. As a dedicated linux developer, I am always concerned to make stuff work with netscape, so I get in on browser compatibility questions quite often

Musicman

[wrench]

emenem

i am simply sending the variables to the asp file on a separate server. No data is transmitted back to the original server. Hope this clears things up

Musicman

Yes indeed, it does seem like a security issue. However I can't see any other way of doing what I want to do. If M do decide to plug this hole in F6 I guess I will have to resort to XML (which will hopefully be better implemented in F6) to maintain the compatibility of my program. We will just have to wait and see....
[Edited by wrench on 05-18-2001 at 06:14 AM]

[enemem]

yeah - that makes things clearer.
thanks!

[Musicman]

Hi there,

not to be misunderstood: I dont think anybody is sending unwanted data anywhere. I just have the impression that this "security" thing is somewhat like the guy from the insurance company who demands the main shop entrance to be equipped with an extra lock, while there is still a side entrance through the car park that cannot be locked at all....


Musicman

[mikebrittain]

Originally posted by enemem
when you say 'works at home and at work on a network', are you requesting the actual swf using http? Stick it on a server somewhere and see whether it still works - because I don't think it will.

Sorry -- I've been off this post for a little bit, but i wrote up a file last week that I had intended to put up here. It's an FLA that makes a call to an XML file (with the XML object) and to a text file (using loadVariables). Both methods make a call to files in my account at the University of Denver:

http://www.du.edu/~mbrittai/flash/nettest.xml

http://www.du.edu/~mbrittai/flash/loadvars.txt

First, I tested the SWF for this movie from my PC -- selecting Control | Test Movie directly from Flash. BOTH remote files load properly and are displayed in the SWF.

Second, I put a copy of the SWF into the university account and loaded it into Internet Explorer. Again, both files loaded and displayed properly.

http://www.du.edu/~mbrittai/flash/network.swf

Last, I put a copy of the SWF on a different web server, leaving the URLs intact (both are absolute URIs). When I loaded the SWF into Internet Explorer, neither of the remote files were loaded by the SWF.

http://www.embimedia.com/mike/misc/flashkit/network.swf

The FLA is linked from the SWF if you would like to inspect it. If you find anything wrong with this, please let me know.

By the way, over the weekend I was paging through the O'Reilly ActionScript book that Colin Moock wrote and it details these sorts of remote connections and if I remember correctly, this demonstration supports what was written in that book.

[mikebrittain]

Originally posted by Musicman
Just to talk on the security: if someone creates a malicious movie, it could send data (at least those accessible via Javascript) to some foreign address. If it is done using geturl, you would expect either some visible response or an alert that the server did not send any data. If it is done using loadvars, you would not notice. So this "security measure" protects one from nice data collection swf movies that the ad banner industry might wish to use.

The intended protection already fails because you can have the data collection server send back a HTML response to a 1-pixel frame.

You're making the assumption that the site that is hosting the malicious movie has a 1 pixel frame setup for the getURL to work properly (hidden).

I have a concern that an ad company could create a movie that might be able to gather information that it shouldn't have, and then pass it along to some third-party server WITHOUT the user ever knowing, and WITHOUT the publisher whose site is hosting the flash movie (as a banner ad?) ever realizing.

I believe that most advertisers are give a limited amount of space for a standard advertisement. So long as additional frames or other layout material is not needed, I don't know how much time the publisher puts into auditing the content.

For this type of thing to be hidden, you also could not be asking the publisher to host some sort of proxy script that is going to pass all of your maliciously captured data back to the third party server.

Is there any way for a swf to do this all by itself, without giving notice to the user or to the publisher? I think that is what Macromedia is intending to patch.

[Musicman]

Hi mikebrittain,

if I understood wrench's posting right, he is loading a flash movie from his local server which in turn loads a movie from a different server and then interacts with that other server.
Reading this in different words, you would load a flash movie from your local server (an ad banner) that just seems to have a clickable link, whereas in reality it would load another movie from a third party server and could then communicate with that server.

Musicman

[wrench]

Spot on musicman.

I am loading an asp script (via loadmovie) into an swf that is hosted on a different server. I am only sending variables to the asp script that are then being passed to a database. Have not tried to talk back to the swf file from the asp file as I have no need (at this stage) to do that. I'm not sure it would work as I have a response.write code in my asp file which (before switching from Loadvariables to Loadmovie) sent a response back to flash. This isn't happening when using Loadmovie.
Having initially tested the loadvariable command across domains without success I resorted to the Loadmovie command.
Ga wooshka it worked.

Thanks for the array tips musicman (separate thread). Got it working, thankfully I have a brother in Sydney who has a maths and computer sciences degree and he was able to straighten out my muddled array code. That and after looking at the same array problems for 10 hours, it really stuffs you up in the head. Hard to think logically about the problem at hand.