I'm working on a web-based Flash application for a client which loads an external file from the same directory it is located in on the server. I use a URLRequest to load the file:
loader.load(new URLRequest("Config.xml));
Right now the Config.xml file uses chmod 644, which gives it public read access. However, the client would like to protect the configuration file so that it can't be downloaded by third-parties.
I'm thinking that it won't be possible to hide the file by removing public read permission (chmod 640) because then the Flash document, which is executed client-side, will be unable to read it. My tests seem to confirm this. Is there any way for a Flash app on the web to read a file from the server without exposing it to the public?
As others have already said, you can't do this. For the SWF to be able to load the file from the client-side it must be public.
A possible solution that might be good enough for your client is to embed the XML file contents in your HTML on the server side, for example as FlashVars or JavaScript output, then the SWF does not need to load the XML file directly and you don't need to make the file public.
For example:
Server-side PHP:
<?php
$xml = file_get_contents("Config.XML");
$encodedXml = rawurlencode($xml);
?>
<object type="application/x-shockwave-flash" data="my-flash.swf" width="550" height="400">
<param name="movie" value="my-flash.swf" />
<param name="FlashVars" value="config=<? echo $encodedXml ?>"/>
</object>
Client-side AS3:
var xml:XML = XML(stage.loaderInfo.parameters.config);
Of course someone could look at your HTML source and decode the XML themself, but any way you get the XML content into your SWF will expose that possibility, to varying levels of difficulty. You could make the encoding more obfuscated (url encoding is easy to spot) or encrypted to make it harder to find.
No. Flash is using a regular HTTP request to load the config file, so of course it can't get the file if it's not publicly-accessible.
What you could do is require authentication for the config file and include credentials in your URLRequest declaration. However, this still suffers from the weakness of someone sniffing the traffic to discover the authentication, and then running that request again with another tool.
Ultimately, you can't have it both ways: Either your config is accessible and insecure, or it's secure but unusable.
The short answer :
No, you can not do that.
The long answer :
No, you can not do that because, as you already know, Flash Player is a client-side technology, so it's exactly the same as a browser, and any file loaded by your SWF is accessible and visible for absolutely any person who has access to that SWF file, also forget about files access permissions which didn't has any effect in this situation.
Note here that you can use some encryption system to encrypt the content of that file and your SWF will decrypt it, but the problem here, is that you have also to encrypt your SWF file which, to my knowledge, is not a very reliable technique because SWF decompilers are really very efficient nowadays ...
...
Hope that can help.
A client side app (Flash or other) cannot read or load by itself any files from a server even from the server it's coming from. When it loads a public xml file, it makes a request for it and if the file has the right permission and the server knows how to serve that file, the request is granted and the file is served. This is very much so a server side operation so you can know see that when you say: "Flash runs client-side, so how would I take any advantage of a server-side solution?" this is a clear misunderstanding of how things work on client side and server side because if you do load a xml file then you do take advantage of a server side solution. Now this being said, how to do it when the file permission if turned of.
It is common to not allow access to files or directories on a server, in that case a client side cannot be granted access to those directly. So this is when you need to use a serve side technology to serve those files. Serve side technology like for example PHP can access all files on the server and make copy of them or change temporarily their permission etc ...
You can serve to your client side those forbidden files by simply writing a serve side script that would serve the file to you depending on some criteria you define (or none). The server side can change the permission allowing you to download it and then change it back, or it can copy the file and put it in a public accessible place and then delete it. You can also change the extension of your xml (to .whatever for example) and not provide a mimetype for it, even though the file is public the server won't be able to serve it, you can then make you serve side script change its extension for you on a per need basis. There's just hundreds of ways to do it including web services and even AMF and all that while the needed file is not publicly accessible. But yes you have to write server side scripts which is a VERY COMMON way to serve files to client side.
I just wonder if i can put a .doc or .txt files in the html instead of placing too much code in showing the data. I think that should be some method but i m not sure about it
You can put a direct URL to a .doc or .txt file on your server without even using HTML if that's most convenient. A browser will typically display .txt files right in the browser itself. A .doc file would likely be offered to store on disk so you can use a program like Word to view it.
If you are talking about embedding data into an existing HTML page there are ways to do so but it would require knowing more about your server. Are you using PHP to respond to requests?
You can use a number of methods to acheive this. Most commonly used are php includes if the server is capable of executing php scripts. Javascript is also commonly used and there are many examples of how to do this. This could also be achieved using SSI (server side include) but this method is not commonly used and requires renaming the file with .shtml extension
Hope this helps.
I want to make a program that prepares an HTML file. It would either be on the server side or just running in my local machine.
I think it would be nice to be able to use the dart:html library since it has a lot of methods for manipulating html (obviously). But it is thought to be used dynamically on the client side, and I want to use it like this: manipulate an html DOM tree with dart:html, and when its ready, write a static html file. For instance using query('body').innerHtml
The problem I'm running into is that I if start a project with the "console application" template, I am not able to make dart:html talk to an html file. And if I choose "web application", in which I am able to do this, I cannot load the dart:io library, maybe it has to do with it being tagged as [server] in the SDK?
Of course I could just do:
print(query('body').innerHtml);
and manually copying the output to a file, but I thought maybe there is a more elegant solution.
See html5lib.
html5lib in Pure Dart
This is a pure Dart html5 parser. It's a port of
html5lib from Python. Since it's 100% Dart you can use it safely from
a script or server side app.
Eventually the parse tree API will be compatible with dart:html, so
the same code will work on the client or the server.
It doesn't support much in the way of queries yet.
I recently started using Flash Builder for the first time after developing C++ and C# for a long time.
I am using a FileReference object to upload a file to a server using its upload method. However, on the server-side, I need to receive a X-File-Name header. How can I control which headers are sent through the Flash object in Flex/ActionScript?
I couldn't find any resources about this anywhere. Is it possible?
I am afraid you cannot. The FileReference object is provided out—of—the—box and is not that much configurable.
But you can load the file, create your own sockets and reimplement the protocol with your needs (this is feasable if you don't need a lot of features).
Here is an example of how it works : http://googolflex.com/?p=367
I want to read xml data to a mxml application from a xml file on my filesystem. The example I found was for AIR,link2, link3. But I want to target the Flash Player runtime.
If I use the the tag, I can do it; however the xml compiles into my swf. How can I retain the xml file in my release build?
You can use UrlLoader to load the external xml at runtime. You may need to delay the loading of your app components until the xml has been loaded (depending on the details of your application.)
You need to use the mx:HTTPService tag , as referenced in the link you've provided