Home > flex > flash player 10 security change can break focus logic with cross domain swfs

flash player 10 security change can break focus logic with cross domain swfs

August 28th, 2009 Leave a comment Go to comments

With the barrage of player updates and security changes to the Flash Player staying on top of the issues and incompatibilities from player to player is sometimes as troublesome as cross browser compatibility for regular web development. This is especially true for the upgrade from Flash Player 9 to 10.

There were some well publicized major security changes for policy files and the filereference class included with the Flash Player 10 security updates but a seemingly less significant new restriction regarding cross domain swf focus can wreak havoc on an existing flash project . The new restriction is outlined here:
Related-object properties in events may not be available

Starting in Flash Player 10.0.2, if an object that would be referred to by any of these properties [MouseEvent.relatedObject, FocusEvent.relatedObject, ContextMenuEVent.mouseTarget] resides in a different security sandbox (for example, because it is part of a different SWF that was served from a different domain), and the two sandboxes do not both trust each other (by means of the Security.allowDomain method), then the value of this property is changed to null.

I’ve found this is a significant change for cross domain swfs that utilize any of Flash’s V3 Components. Some 3rd party crossdomain swfs that once worked fine will no longer focus properly when clicking on textfields. Digging into this component architecture’s FocusManger you can find the culprit:

fl.managers.FocusManager::mouseFocusChangeHandler(event:FocusEvent)

/**
*  @private
*  This gets called when mouse clicks on a focusable object.
*  We block Flash Player behavior.
*
* @langversion 3.0
* @playerversion Flash 9.0.28.0
*/
private function mouseFocusChangeHandler(event:FocusEvent):void {
   if (event.relatedObject is TextField) { //<- related object will always be null
      return; // pass it on
   }
   event.preventDefault();
}

The solution is to add a Security.allowDomain(“YourDomain”) if you have access to republish, otherwise you’d have to use a proxy server.

Categories: flex Tags: ,
  1. Julian
    December 22nd, 2009 at 17:55 | #1
    Reply | Quote

    I had this exact same problem. I found a way to overcome this issue without republishing nor using a proxy server. I’m not sure is the right way to do it but in case it is useful to anyone, here is what I did:

    - I imported into my main application the definitions of all V3 components.

    - Replaced the fl.managers.FocusManager::mouseFocusChangeHandler(event:FocusEvent) method with the implementation found here http://opensource.adobe.com/svn/opensource/flex/sdk/trunk/frameworks/projects/framework/src/mx/managers/FocusManager.as which takes into account the security update.

    - When loading cross domain swfs that utilize any of Flash’s V3, I use the LoaderContext to specify the application domain and ensure the loaded swf uses the V3 components definitions contained in the main application (this is the bit that may not fit everyone’s scenario)

    Cheers,

    Julian

  2. funny pictures of cats
    November 29th, 2011 at 13:09 | #2
    Reply | Quote

    This is a great article, very useful, I’ll be subscribing to your blog.

  1. No trackbacks yet.