views:

18

answers:

1

I have an online flash application that acts as a front end for a server application built in delphi. The server can be installed/used on a remote computer or a personal version can be downloaded and the Flash app pointed at localhost to use it. However, Flash has issues with using the POST and GET functions on the localhost, which makes uploading data files and downloading results files difficult. To get past the difficulty with downloading results files I'm planning to just have the server app serve the results file as an attachment and have the Flash app open the address of the file up in another browser window using external interface. First off, is this likely to cause similar security issues? I.E. Flash will see "localhost" in the external interface call and stop it from working the same as when I try to use POST/GET functions with localhost?

Secondly, for upload this seems just a bit little trickier, I'm planning on doing something similar, having flash use external interface to open a php script for a file upload. Is this feasible and, again, will Flash still have security issues?

Lastly, if anyone knows how to get flash to execute POST and GET functions with localhost addresses, I'd love to have that information to avoid all this jumping through hoops.

A: 

Can you describe what issues you're having with POST/GET? Localhost should be no different than any other server. If your requests are failing entirely, maybe security rules are the problem.

I would suggest ensuring that the locally installed copy of your front end runs in Flash Player's local-trusted sandbox. You do this by creating a FlashPlayerTrust config file. You can test what sandbox you're in by examining System.security.sandboxType (AS1/AS2) or Security.sandboxType (AS3).

FlashPlayerTrust config files are documented here: http://www.adobe.com/devnet/flash/articles/fplayer8_security_04.html Search for "FlashPlayerTrust".

Deneb Meketa
Oh, security rules are definitely the problem here(works perfectly when added to the Flash trusted locations folder), I just don't know why they are a problem. My server dispatches a cross-domain policy file and everything. Here is my original question, when I was trying to get the security issues worked out: http://stackoverflow.com/questions/3026488/flash-http-requests-wont-work-on-localhost but it seems they are intended effects, so I am trying to work around them now.
Md Derf
I think being in the local-trusted sandbox is the way you want to go. It should solve your problems, and it doesn't introduce any additional vulnerabilities. Your server shouldn't need any policy files; if you want to authorize this by policy file, you'd need to allow access by "*" in order to permit local files, and that's a vulnerability; any other machine could connect to this host freely, which you probably don't want. Am I missing anything? What's your concern with FlashPlayerTrust files - is it the process of installing them? Can you make a downloadable installer app?
Deneb Meketa
That might end up being the way I go, but I'd rather not because:The Flash itself is hosted online. Not sure if there is an easy, relatively seamless way to have it automatically transition to a locally hosted version when the users chooses to use the personal server.Also, the personal server itself is a single executable the user is prompted to download that sits in the appdata folder and runs without any real installation, deleting itself when it is closed. I'd rather the user didn't have to go through a full installation each time, so I don't know the current setup could add trust files.
Md Derf
OK, I see. I would be somewhat concerned that you have to open your localhost server to online content - this means that others can snoop on its contents, make changes, and possibly exploit vulnerabilities in it to own the user's machine. An all-local setup would be the more conventional solution. You can still do this with a single downloadable executable; when it is first run, it can unpack an archive of local files, including your SWFs and the FlashPlayerTrust config file that you'll need.
Deneb Meketa