Here’s a bit of a snag with the fantastic Bitmap Data functionality that was introduced back in Flash 8. The class allows you to manipulate bitmap images at the pixel level to pull off all kinds of fancy tricks.

i’m working hard to launch a jigsaw puzzle app on the Untold Entertainment games page. Here’s a special preview screenshot:

One feature that i feel very strongly about including is a “Custom” button on the gallery, where the player can enter any image URL and the app will dynamically cut that image into a puzzle.

The trouble is that Adobe forbids Flash from snagging pixels outside its own domain. Their reasoning is fascinating – user vineet_sc, posting on Frédéric v. Bochmann’s Flash Forever blog, emailed Adobe about it, and this was their response:

a policy file will let you BitmapData.draw() from a non-SWF image that comes from another domain. In addition, Security.allowDomain() will let you BitmapData.draw() from a SWF that comes from another domain.

As far as justification… here is a real case that we worry about. Attacker wants a copy of a confidential early financial report from a publicly traded company – insider information. Attacker knows or guesses that this company has FooChart accounting software installed, and knows that FooChart puts its output at a certain URL. This URL is inside the company firewall, so attacker can’t get to it directly. Attacker makes a South Park animation and promotes it heavily. Company employee, inside the firewall, views this movie. While showing animation, attacker’s SWF attempts to retrieve FooChart output GIF into an offscreen or obscured DisplayObject, then uses BitmapData.draw() to extract GIF’s contents. If successful, SWF posts the contents back to attacker’s domain. All this without the employee knowing what’s happening.

That is one reason why cross-domain pixel theft is bad. There are others too. This policy will not be changing.

If Flash Player security seems excessive, consider that many enterprise customers will refuse to allow the player to be installed on their systems unless it is safe technology. Security is not sexy, but it is a requirement.

Wow! Trojan Horse South Park animation espionage! It warms my heart. You can read the whole thread here.

i’m kind of upset that Adobe doesn’t provide some kind of button or security option that says “i’m only using it for jigsaw puzzles”, but i suppose they can’t rely on the honours system when it comes to matters of security.

The same user, vineet_sc, used a workaround where he (i think) hits a php page to load the image to his server, and then brings it into his Flash app. i’ve contacted him for more details, because i’m very new to php.

If you know how to do this, please let me know and i’ll post the method here for all (including myself) to enjoy. Or maybe Vineet will grace us with his presence? Who knows? Here’s hoping.

Once i figure it all out, i will announce the official launch of Jigsaw! right here. Keep reading!

Ryan Henson Creighton is a Toronto-based game developer, and founder of Untold Entertainment Inc., specializing in online games for kids, teens, tweens and preschoolers.

Ryan Henson Creighton

View all posts by Ryan Henson Creighton

Popularity: 6% [?]

Be Sociable, Share!

•