Simon Willison’s Weblog

CSRF: Flash + 307 redirect = Game Over. Here’s the exploit that Django and Rails both just released fixes for. It’s actually a flaw in the Flash player. Flash isn’t meant to be able to make cross-domain HTTP requests with custom HTTP headers unless the crossdomain.xml file on the other domain allows them to, but it turns out a 307 redirect (like a 302, but allows POST data to be forwarded) confuses the Flash player in to not checking the crossdomain.xml on the host it is being redirect to. 10th February 2011, 10:07 pm

tobeytailor’s gordon. Another Flash runtime in pure JavaScript project, released back in January. Not quite as advanced as Smokescreen yet (it doesn’t have an audio implementation) but already available as open source under an MIT license. 29th May 2010, 11:57 am

Smokescreen demo: a Flash player in JavaScript. Chris Smoak’s Smokescreen, “a Flash player written in JavaScript”, is an incredible piece of work. It runs entirely in the browser, reads in SWF binaries, unzips them (in native JS), extracts images and embedded audio and turns them in to base64 encoded data:uris, then stitches the vector graphics back together as animated SVG. Open up the Chrome Web Inspector while the demo is running and you can see the SVG changing in real time. Smokescreen even implements its own ActionScript bytecode interpreter. It’s stated intention is to allow Flash banner ads to execute on the iPad and iPhone, but there are plenty of other interesting applications (such as news site infographics). The company behind it have announced plans to open source it in the near future. My one concern is performance—the library is 175 KB and over 8,000 lines of JavaScript which might cause problems on low powered mobile devices. 29th May 2010, 11:32 am

Realtime Election Tweets. Jay Caines-Gooby’s realtime election tweet service, using Node.js, nginx and WebSocket with a Flash fallback. 6th May 2010, 9:20 pm

Flash CS5 will export to HTML5 Canvas. This looks pretty awesome—Illustrator CS5 and Flash CS5 can export to a new “FXG” format, and Adobe are providing a JavaScript library to load that format via Ajax and render the contents (including Flash animations) in a canvas element. Could be great for displaying newspaper infographics on the iPad. 11th April 2010, 6:33 pm

flashblockdetector. Mark Pilgrim’s JavaScript library for detecting if the user has a Flash blocker enabled, such as FlashBlock for Firefox and Chrome or ClickToFlash for Safari. One good use of this would be to inform users that they need to opt-in to Flash for unobtrusive Flash enhancements (such as invisible audio players) to work on that page. 13th March 2010, 10:44 am

ClearMaps: A Mapping Framework for Data Visualization. An open source library for map visualisations using ActionScript, with an Adobe AIR based encoding tool for translating data from shapefiles in to vector data suitable for use with the library. 28th February 2010, 3:52 pm

HTML5 video markup, compatibility and playback. Everything you need to know about embedding HTML5 video on a page, complete with multiple codecs to cover the various supporting browsers and a fallback to Flash. 11th February 2010, 5:49 pm

Plupload (via) Fantastic new open source project from the team behind TinyMCE. Plupload offers a cross-browser JavaScript File uploading API that handles multiple file uploads, client-side progress meters, type filtering and even client-side image resizing and drag-and-drop from the desktop. It achieves all of this by providing backends for Flash, Silverlight, Google Gears, HTML5 and Browserplus and picking the most capable available option. 10th February 2010, 12:53 pm

SublimeVideo—HTML5 Video Player. Still a fair way to go (no Firefox support yet, and they plan to add a Flash fallback for IE) but in Safari this is pretty extraordinary. Smooth video, beautiful UI, full window mode and full screen mode in the latest WebKit nightlies. I’d go as far as saying that this is the nicest online video implementation I’ve seen (at least on the Mac). 2nd February 2010, 9:50 am

Who Can Do Something About Those Blue Boxes? John Gruber makes the case for the fading significance of Flash, brought about by Apple’s point-blank refusal to support it on the iPhone or iPad. “Flash is no longer ubiquitous. There’s a big difference between “everywhere” and “almost everywhere”.” 31st January 2010, 12:05 pm

flXHR. I was looking for something like this recently, glad to see it exists. flXHR is a drop-in replacement for regular XMLHttpRequest which uses an invisible Flash shim to allow cross-domain calls to be made, taking advantage of the Flash crossdomain.xml security model. 26th November 2009, 12:52 pm

Cross-domain policy file usage recommendations for Flash Player. One of the best explanations of the security implications of crossdomain.xml files I’ve seen. If you host a crossdomain.xml file with allow-access-from domain=“*” and don’t understand all of the points described here, you probably have a nasty security vulnerability. 5th November 2009, 4:24 pm

Facebook and MySpace security: backdoor wide open, millions of accounts exploitable (via) Amazingly, both services had wide open holes in their crossdomain.xml files. Facebook were serving allow-access-from-domain=“*” in the crossdomain.xml file on one of their subdomains (a subdomain that still had access to the user’s profile information) while MySpace were opting in farm.sproutbuilder.com, a service which allowed anyone to upload arbitrary SWF files. 5th November 2009, 9:47 am

Adobe is Bad for Open Government. The problem isn’t just that PDFs are a bad way of sharing data, it’s that Adobe have been actively lobbying the US government to use their PDF and Flash formats for open government initiatives. 1st November 2009, 12:51 pm

Developing for the Apple iPhone using Flash. A brilliant feat of engineering: Adobe worked around Apple’s “no runtime allowed” rules by writing a compiler front end for LLVM that compiles ActionScript 3 to ARM assembly code, and apparently ported the regular Flash drawing APIs as well. 5th October 2009, 9:15 pm

svgweb. Awesome. I’ve been having a lot of fun with SVG for dynamic graphics recently (maps in particular), and hoping someone builds an SVG renderer in Flash so I could serve up SVG files for IE. Brad Neuberg and team have done exactly that. 22nd August 2009, 10:42 pm

You Deleted Your Cookies? Think Again (via) Flash cookies last longer than browser cookies and are harder to delete. Some services are sneakily “respawning” their cookies—if you clear the regular tracking cookie it will be reinstated from the Flash data next time you visit a page. 17th August 2009, 3:23 pm

Towards a Standard for Django Session Messages. I completely agree that Django’s user.message_set (which I helped design) is unfit for purpose, but I don’t think sessions are the right solution for messages sent to users. A signed cookie containing either the full message or a key referencing the message body on the server is a much more generally useful solution as it avoids the need for a round trip to a persistent store entirely. 19th June 2009, 9:57 pm

SWFUpload jQuery Plugin. Nice looking plugin around an invisible Flash shim that provides multiple file uploads and client-side progress indicators. 16th June 2009, 11:46 am

Fixing IE by porting Canvas to Flash. Implementing canvas using Flash is an obvious step, but personally I’m much more interested in an SVG renderer using Flash that finally brings non-animated SVGs to IE. 15th March 2009, 1:34 pm

Visualising Radio, pushing, not pulling. The BBC’s new radio player uses Comet over a Flash XMLsocket connection transport, with an ActiveMQ message queue behind the scenes. I’d like to know what server they’re using to broadcast out to the XMLsocket connections. 13th January 2009, 12:59 am

Noncontiguous area cartograms. a.k.a. really funky data visualisation maps. Includes lots of examples, plus ActionScript 3 source code. 8th December 2008, 6:03 pm

Wario Land: Shake It—Amazing footage! Some virals really do deserve linking to. 26th September 2008, 4:46 pm

What the Heck is the Open Web? Brad Neuberg is seeking a two sentence definition. Bonus points for answering the following: “If Adobe were to open source Flex/Flash, or Microsoft Silverlight, would that be the Open Web? If so, why? If not, why not?” 22nd July 2008, 1:33 am

Running C and Python Code on The Web. Adobe are working on a toolchain to compile C code to target the Tamarin VM in Flash. This will allow existing C code (from CPython to Quake) to execute in a safe sandbox in the browser. 4th July 2008, 8:26 am

Poking new holes with Flash Crossdomain Policy File. This is an old article from 2006 which describes the crossdomain.xml hidden in a GIF exploit I referred to in an earlier post (scroll down to the appendix for an example). As far as I know the Flash Player’s crossdomain.xml parser has been tightened up since. 1st July 2008, 4:12 pm

Scaring people with fullScreen. Unsurprisingly, you can work around the “Press Esc to exit full screen mode” message in Flash by distracting the user with lots of similar looking visual noise. This opens up opportunities for cunning phishing attacks that simulate the chrome of the entire operating system. EDIT: Comments point out that text entry via the keyboard is still disabled, limiting the damage somewhat. 2nd June 2008, 10:18 pm

Obscure bugs revisited: IE, HTTPS and plugins. Filed for future reference: IE breaks mysteriously if you serve it up plugin content (e.g. Flash) over HTTPS with a no-cache header—it deletes the file from cache before the plugin software gets a chance to open it. 30th May 2008, 9:54 am

Crossdomain.xml Invites Cross-site Mayhem. A useful reminder that crossdomain.xml files should be treated with extreme caution. Allowing access from * makes it impossible to protect your site against CSRF attacks, and even allowing from a “circle of trust” of domains can be fatal if just one of those domains has an XSS hole. 15th May 2008, 8:06 am

Adobe and Industry Leaders Establish Open Screen Project (via) Talk about burying the lede... the real story is that Adobe are going to drop the license restriction that prevents other people from implementing SWF players. They’re also publishing the AMF and Flash Cast protocols and removing licensing fees for Flash Player on devices. 1st May 2008, 9:43 am

XSS Vulnerabilities in Common Shockwave Flash Files. Is the word “shockwave” still relevant to Flash? Regardless, it turns out Flash can be a serious vector for XSS attacks, and many commonly used components have recently fixed holes (and hence should be updated ASAP). 6th January 2008, 9:35 am

BBC iPlayer now supports streaming Flash for Mac and Linux. Absolutely fantastic—it Just Works, you hit the homepage and you can be watching video in seconds. No need to even sign up for an account. I imagine IP ranges are used to block access from outside the UK. 14th December 2007, 12:36 pm

VectorMagic. Neat online tool (with a Flex frontend) for tracing bitmap images in to vectors, based on research at the Stanford AI lab. 28th October 2007, 11:46 am

Halo 3 Site Demonstrates Flaws in SilverLight. The Halo 3 “interactive manual” is like a throwback to Flash in the late 90s—“skip intro”, pointless transitions, text you can’t select or enlarge, links that aren’t links—all wrapped up in an ugly blob (only this time it’s XML instead of binary data). 27th September 2007, 2:38 pm

gefingerpoken. Michal Migurski shows how to implement the algorithm for two-finger deforming drag using affine transformation matrices in Flash. 24th September 2007, 8:50 am

H.264 support coming to the Flash player. It looks like this is a response to the higher video quality offered by Silverlight. I wonder if YouTube knew about this when they started transcoding their videos to H.264 for the Apple TV and iPhone. 21st August 2007, 8:28 am

Brendan Eich: New Projects. Exciting new projects from Mozilla. ActionMonkey is joined by IronMonkey (IronPython/IronRuby on Tamarin) and ScreamingMonkey (Tamarin for IE). Upgrading IE’s JavaScript using the Flash Player as a vector is a game-changing idea. 26th July 2007, 8:05 pm

SWFUpload. Fantastic Flash widget for handling multiple file uploads with progress indicators; degrades gracefully to a regular HTML upload field. 16th May 2007, 4:12 pm

Poly9 FreeEarth (via) Seriously sexy embedable 3D Flash globe, with a JavaScript API. 10th May 2007, 9:17 pm

Dell to Offer Ubuntu. That right there is why I find Flex more interesting than Silverlight. 1st May 2007, 6:39 pm

Adobe open sources Flex. Ted Leung says that this might indicate the possibility of Adobe open sourcing Flash itself in the future. 26th April 2007, 11:24 am

SoundManager 2. JavaScript sound API, using a bridge to Flash. 16th April 2007, 4:47 pm

Modest Maps. Flash draggable maps library, BSD-licensed. Use it with tiles from OpenStreetMap / NASA / Google / Yahoo! etc or run it against your own tile set. 23rd March 2007, 3:41 pm

Flash vs. Ajax: It’s time to expand your toolbox. Dan Webb offers his smart, pragmatic take on the Flash vs. Ajax permathread. 20th March 2007, 9:49 am

Adobe wants to be the Microsoft of the Web. The base platform technology for RIAs is too important to be controlled or designed by any single party. 2nd March 2007, 1:01 pm

swf Image Replacement. Really neat idea: unobtrusively replace an inline image with a SWF, then apply effects like rotation, rounded corners and drop-shadowns. Shame it suffers from Flash-Of-Unstyled-Content. 27th February 2007, 7:51 pm

Flash MP3 Player. Nice little embeddable MP3 player, with support for single files or Atom/XSPF/RSS playlists. 25th February 2007, 2:13 am

TagMaps. The toolkit behind the new YRB World Explorer, available to developers as a reusable Flash component. 19th January 2007, 10:01 am

How the myspace SWF hack worked. If Flash is a vector for XSS, is this the end of Flash badges? 17th July 2006, 6:04 pm