Simon Willison’s Weblog

Blogmarks tagged flash in 2008

Filters: Type: blogmark × Year: 2008 × flash ×


Noncontiguous area cartograms. a.k.a. really funky data visualisation maps. Includes lots of examples, plus ActionScript 3 source code. # 8th December 2008, 6:03 pm

Wario Land: Shake It—Amazing footage! Some virals really do deserve linking to. # 26th September 2008, 4:46 pm

What the Heck is the Open Web? Brad Neuberg is seeking a two sentence definition. Bonus points for answering the following: “If Adobe were to open source Flex/Flash, or Microsoft Silverlight, would that be the Open Web? If so, why? If not, why not?” # 22nd July 2008, 1:33 am

Running C and Python Code on The Web. Adobe are working on a toolchain to compile C code to target the Tamarin VM in Flash. This will allow existing C code (from CPython to Quake) to execute in a safe sandbox in the browser. # 4th July 2008, 8:26 am

Poking new holes with Flash Crossdomain Policy File. This is an old article from 2006 which describes the crossdomain.xml hidden in a GIF exploit I referred to in an earlier post (scroll down to the appendix for an example). As far as I know the Flash Player’s crossdomain.xml parser has been tightened up since. # 1st July 2008, 4:12 pm

Scaring people with fullScreen. Unsurprisingly, you can work around the “Press Esc to exit full screen mode” message in Flash by distracting the user with lots of similar looking visual noise. This opens up opportunities for cunning phishing attacks that simulate the chrome of the entire operating system. EDIT: Comments point out that text entry via the keyboard is still disabled, limiting the damage somewhat. # 2nd June 2008, 10:18 pm

Obscure bugs revisited: IE, HTTPS and plugins. Filed for future reference: IE breaks mysteriously if you serve it up plugin content (e.g. Flash) over HTTPS with a no-cache header—it deletes the file from cache before the plugin software gets a chance to open it. # 30th May 2008, 9:54 am

Crossdomain.xml Invites Cross-site Mayhem. A useful reminder that crossdomain.xml files should be treated with extreme caution. Allowing access from * makes it impossible to protect your site against CSRF attacks, and even allowing from a “circle of trust” of domains can be fatal if just one of those domains has an XSS hole. # 15th May 2008, 8:06 am

Adobe and Industry Leaders Establish Open Screen Project (via) Talk about burying the lede... the real story is that Adobe are going to drop the license restriction that prevents other people from implementing SWF players. They’re also publishing the AMF and Flash Cast protocols and removing licensing fees for Flash Player on devices. # 1st May 2008, 9:43 am

XSS Vulnerabilities in Common Shockwave Flash Files. Is the word “shockwave” still relevant to Flash? Regardless, it turns out Flash can be a serious vector for XSS attacks, and many commonly used components have recently fixed holes (and hence should be updated ASAP). # 6th January 2008, 9:35 am