Monday, May 05, 2008

it's not a bug... >"< (flash player 9 security model)

幾個月前當 flash player 更新到 9.0.115 時,因為 security model 改變,讓我以為 Security.loadPolicyFile() 沒有被正確調用是一個 bug... 並期待會在下次更新改善。

而就在最近,flash player 更新到 9.0.124 了。
而且,果不其然,security model 再次被修改~細節請參考這裡
我關心的部份是:

A socket policy file will always be required for all socket connections

唉...
我個人認為這改變很白爛啊...  >"<

anyway,這只是前言,這篇重點在於,這次的相關文章中,我看到了一篇有提到 flash player 內部的 socket policy request process!

哇咧!!!
原來是這樣的次序

  1. 先找 port 843 的 master policty file
  2. 才是作 Security.loadPolicyFile()
  3. 最後是往目標連線的 socket port 取...

哪有這種事情...

居然把他們自定的特殊 port 843 當作第一優先,取不到還得等 3sec,然後才往其他地方找 policy file...

So,我原來還期待上次發現的問題,可能會被改掉,這下看來是不可能了!
因為那不是 bug,是刻意的 FEATURE!

老實說,我真的覺得 Adobe 對於 flash player 作這樣的設計很白痴...

1 comment:

Unknown said...

hi~chenjl:

很高興能看到你的文章
因為中文談論socket的文章不多

但仍對使用socket還是有很多疑問

我在google mmug po了文

希望大大能給我些意見

以下是內容
請問port 843是必開的嗎?!

//------引用http://www.adobe.com/devnet/flashplayer/articles/
flash_player9_security_update.html#socket_policy
The policy file can be served from either the socket master policy
port 843 or from the destination port of the socket connection.
The socket policy file will need to include all domains that are
allowed to connect to the socket, including itself.
If the socket policy file is hosted from the master policy file
location, be sure to include meta-policies where socket policy files
are allowed to be located.
You may need to check that your content performs a loadPolicyFile call
to ensure that Flash Player is aware of where to load the policy file
from.
Use the instructions for configuring policy file logging in Tech Note
kb403364 to verify your changes.

//--------引用http://www.adobe.com/devnet/flashplayer/articles/
flash_player_9_security.pdf
If the socket policy file is hosted from the master policy file
location, be sure to include meta-policies to specify where socket
policy files are allowed to be located (see the next section, 「Socket
meta-policies,」 for more information).

我對這幾段的理解是(也看過其他文章),
開843是為能抓得到master socket policy file(這時候就一定要有meta-policy), 但如果我沒能開放843的
話,
那就是使用loadPolicyFile去找socket policy file

我的測試
web server 跟socket server都在同一電腦上
test.fla寫
System.security.allowDomain("公司內部ip");
System.security.loadPolicyFile("http://公司內部ip/policy_test/
URLpolicy.xml");
//使用allowDomain及載入url policy file是怕載入socket policy會有問題
System.security.loadPolicyFile("http://公司內部ip/policy_test/
policy.xml");


利用debug flash player的log
我得到以下訊息
=Domain (domain) does not specify a meta-policy.
Applying default meta-policy 'all'. This configuration is deprecated.
=Ignoring policy file at (URL) due to incorrect syntax.
=SWF from (URL) will be permitted to connect to a socket in its
own domain without a policy file. This configuration is deprecated.

令外 我的flash IDE是8 pro版 發佈設定最多就到8
而我as2像loadPolicyFile要寫System.security
可是as3是寫成 Security.loadPolicyFile();
flash player是怎樣看語法的差別呢 或對安全性有甚麼差別
或如果我限定了更早的發佈版本呢 6.5?!