After warming up with a few random thoughts, let's get to the real business.
Say you wanted to store persistent data and share it between Flash movies from different domains. That's not possibly because of the Flash security sand box for Shared Objects, right? Not quite. I just happened to come across this when a half a year ago I was trying to solve this issue for an application that needed to work both in online and locally in offline modes. The problem is that while the application is really the same, it cannot use the same shared object because it's running in two different domains (localhost for offline and your server for online mode).
I tried a couple of things to go around this problem, like trying to change the _url property of the movie, but while it's possible to change it, it still doesn't change the persistent shared object location for that movie.
You can also try to load the cached version of the movieclip to go around the problem, but naturally it only works if there is a cached version and often you can't guarantee that.
So I kept testing and finally found a viable solution. The trick is to use a local (persistent) version of a remote shared object. Normally, your offline movie is still limited to access to localhost domain and Flash doesn't allow you to use "/.." as a URI. You are allowed to use a parent directory (..), but not multiple sub-sequent ones in your URI. However, looks like MM engineers missed one check, since you can specify "./.." as the URI and thus be able to access the root directory of the shared object data folder, eg. C:\Documents and Settings\yourUserAccount\Application Data\Macromedia\Flash Player.
Test this:
test_so = SharedObject.getRemote("FCTest", "rtmp:/./..", "/");
test_so.data.value1 = "test1";
trace("test_so " + test_so.data.value1);
And do not try to connect the shared object. Then find out where the player created the file FCTest.sor.
It's certainly a security hole or at least unintended behaviour, though I can't immediately figure out how you could exploit this for harmful purposes. I've tested it both with the stand-alone Flash player and through a browser, and you could happily read and write to the shared object. I also just tested that with the new player (7.0.14) and it still works. Generally, it seems that a locally persistent version of a Remote Shared Object is implemented exactly like a Local Shared Object.
A couple of notes: "rtmp:/" has to be specified in the URI, otherwise it
won't work. It'll write the shared object to the "Flash Player" folder,
which is the parent directory of the domain directories. The last parameter,
"/", has to be specified to make the shared object locally persistent. Since this is a fairly harmless bug, it's unlikely that Macromedia will fix this if no one will tell them, and I doubt that. It's in any case useful for some purposes, so let's just keep it as our little secret :)
And btw, since this is my first Flash post, I just like to state that I'm not a fan of Flash and I don't like too much programming in it. It's just something I've needed to do for awhile. While I've always been saying that the language you are programming in does not really matter, after many years of programming in Java, Delphi and Smalltalk, Flash is just unbelievably frustrating at times :( Though good thing it's not as bad as VB/script.
Hi,
i read ur article it was wonderful ..
I am trying to implement web services using flash API. and tested with the cross domain issues by using loadpolicy file api.
But i thing this is not a good solution to implement the security, we should need a generalized one and not specific to the product. because we cannot ask all the service provider to create a crossdomain.xml file and put that in their server root.
If any one have some other solution to overcome this cross domain issue pl let me..
thanks in advance
anand
Hello,
i wanted exactly what you have mentioned in the article.
I am using so = SharedObject.getRemote("testlog", "rtmp:/./..", "/");
But it is creating this testlog.sor in C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player folder. I wanted it to create it in localhost.
Can you please help me in this?
Thank you
So your local swf file needs to access the same SharedObject when it's run either from the file system or through a webserver on your localhost, right? As I recall, in my tests I found it impossible for movies from other domains to access shared objects in a folder of a different domain, sorry. So, the only way really is to use the root folder of the SharedObject folder. The only problem with that is that any swf can theoretically over-write your data.
Another idea, how you might be able to go around this problem is to let the localhost swf always do the writing to the sharedobject. However, it requires that there's always a web server running on your localhost, so you can let the swf run on the command line to load another swf from your localhost.
Thanks for the information about locating the .sol file for the PC.
Now what should the getRemote location be for an APPLE running OS 10.x?
Thanks in advance.
lee smith
Posted by: LEE SMITH at July 22, 2004 11:44 AMYeah the post was a bit PC biased I know :) Well I don't really have much experience on an Apple, especially OS 10, but considering it's an xNIX derivative, you should be able to just do "locate .sol". Furthermore, I guess that MM would store the files somewhere under the user home, like .flash directory.
Posted by: Alphageek at August 18, 2004 09:33 PMhow to locating the .sol file to the floppy disk???
"how to locating the .sol file to the floppy disk???"
did anyone work this out? i want to store the .sol on a usb pen drive....
thx
graham
Posted by: graham at January 19, 2005 08:29 AMSad news: I was using this trick--primarily to enable a standalone version to access the same SO as a browser-based version of the same application. No longer in Flash 8 (the beta Flash 8 Player). I had to rewrite all of my code back to the LSO. Next, I'm gonna check out what I might be able to do using localConnect to pass the values from one to the other. Even if I can get that to work, it won't be as slick as the this neat little RSO trick was.
Posted by: John Lemon at August 17, 2005 09:51 PMDoesn't work anymore with Flash Player 8 beta :-(
Posted by: pemoke at August 25, 2005 10:27 PMWhich was quite as expected... After all, it was probably a bug rather than a feature. Oh well, there'll be new security holes. Keep hacking!
Posted by: Alphageek at September 13, 2005 09:52 PMI want to use getRemote in flash 8 for a specific shared object. can any one please tell me how to do it?
Ankur Arora
Posted by: Ankur Arora at September 14, 2005 05:53 AM