Solved

Embedded Flash Show White Box When Viewing Over SSL

Posted on 2010-08-21
17
782 Views
Last Modified: 2013-12-25
On my site, I have the code below (nothing fancy).  If I view the site under HTTP, the flash displays.  If I view the site under HTTPS, I get a white box where the SWF should show.  However, if I browse to the SWF using HTTPS directly, the flash shows.

http://www.hossy.com/
https://www.hossy.com/
https://www.hossy.com/library/flash/comingsoon.swf

Open in new window

(copy/paste into a new tab)

<div class="CoP" id="flash">

	<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0" width="550" height="400">

		<param name="movie" value="library/flash/comingsoon.swf">

		<param name="quality" value="high">

		<embed src="library/flash/comingsoon.swf" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="550" height="400"></embed>

	</object>

</div>

Open in new window

0
Comment
Question by:Hossy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 6
17 Comments
 
LVL 5

Expert Comment

by:truromeo4juliet
ID: 33492688
i had the same issue when attempting to use an image hosted on my website for my paypal secure page... my solution was to host my image on a host with an ssl security certificate installed... i used sslpic.com ... you might need to do something similar with your swf, or get an SSL certificate for your website
0
 
LVL 2

Author Comment

by:Hossy
ID: 33492963
I have an ssl cert installed, it's just self-signed

I've added the exception in my browser
0
 
LVL 8

Expert Comment

by:IqAndreas
ID: 33493663
Does it make a difference when embedding it, than rather to write the relative URL, to write the complete URL in? Sadly, I haven't had a chance to work with SSL for any of my sites, so I'm not aware of any "rules" involved regarding embedding assets over secure connections.

Try out the attached code, and if that doesn't work, also try starting the SWF's url with "http://" to see if that is able to load properly.

Is a secure connection really needed on the front page of the site, or can you use "regular" http for all parts of the site except when logging in (or whatever you need the extra layer of security for).
<div class="CoP" id="flash">

	<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0" width="550" height="400">

		<param name="movie" value="https://www.hossy.com/library/flash/comingsoon.swf">

		<param name="quality" value="high">

		<embed src="https://www.hossy.com/library/flash/comingsoon.swf" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="550" height="400"></embed>

	</object>

</div>

Open in new window

0
Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

 
LVL 8

Expert Comment

by:IqAndreas
ID: 33493669
I just thought of something, are you loading in any external images from inside of the SWF via ActionScript? There may be some "security conflicts" there.
0
 
LVL 2

Author Comment

by:Hossy
ID: 33493692
I wrote the SWF five years ago.  I don't believe it is calling anything outside the SWF.

Also, I can't use the full URL because the site also does HTTP.  The relative URL is so it's portable easily.
0
 
LVL 8

Expert Comment

by:IqAndreas
ID: 33493724
Ah, right... But could you use regular HTTP in the embed, and send the SWF over "unencrypted", even when using a secure connection? Or just try seeing if writing in the full URL works when in HTTPS, even if you don't keep the changes permanently.

I would recommend at least trying to mess around with the embed options a bit, as I'm pretty sure that is where the problem lies. If you right click the box, you will see that Flash Player has started up, but it is unable to load in your SWF.
0
 
LVL 2

Author Comment

by:Hossy
ID: 33607247
Sorry for the delay in my response, I honestly thought I'd already replied...

Here are the results of my tests:

I created two more versions of index.htm (index-http.htm and index-https.htm)

http://www.hossy.com/index-http.htm: works
http://www.hossy.com/index-https.htm: doesn't works
https://www.hossy.com/index-http.htm: works
https://www.hossy.com/index-https.htm: doesn't work

Again, I don't want to mix unencrypted data with encrypted data.  This is just for illustration and troubleshooting.
0
 
LVL 2

Author Comment

by:Hossy
ID: 33607252
Code attachment got lost...
index-http.htm:
        <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0" width="550" height="400">

                <param name="movie" value="library/flash/comingsoon.swf">

                <param name="quality" value="high">

                <embed src="http://www.hossy.com/library/flash/comingsoon.swf" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="550" height="400"></embed>

        </object>

index-https.htm:
        <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0" width="550" height="400">

                <param name="movie" value="library/flash/comingsoon.swf">

                <param name="quality" value="high">

                <embed src="https://www.hossy.com/library/flash/comingsoon.swf" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="550" height="400"></embed>

        </object>

Open in new window

0
 
LVL 8

Expert Comment

by:IqAndreas
ID: 33609998
Now why didn't I think of that? :P

You could even have it tell which one to use inside of PHP, automatically detecting if you are currently using HTTP or HTTPS and embedding it with the correct link depending on that.
0
 
LVL 8

Expert Comment

by:IqAndreas
ID: 33610048
Oh, sorry. Now I see what you mean.

As I may have said before, I'm no expert on SSL at all. But I'm going to take a guess that perhaps the nature of SSL forbids you to embed the secured data into a page. Instead, you are only allowed to access HTTPS pages or objects when specifically browsing to them? That would explain why this is happening at least.

Does the SWF you are loading contain any sensitive data that really must be sent over encrypted? Even if the SWF is sent over encrypted, if you have any forms inside of the SWF, they will NOT send data to the server in encrypted format unless specified within the actual AS code.
0
 
LVL 2

Author Comment

by:Hossy
ID: 33612007
No, the SWF is really just an animation.  The problem is, no matter what, I can't get the SWF to be viewed when viewing the site over SSL -- whether unencrypted or encrypted.
0
 
LVL 8

Expert Comment

by:IqAndreas
ID: 33613561
It seems like the "index-http.htm" page is working just fine for me both in HTTP and HTTPS.

Or are you still trying to get relative URLs working rather than absolute?
0
 
LVL 2

Author Comment

by:Hossy
ID: 33637936
Yes, -http works with both HTTP and HTTPS, but only because the HTTPS site is loading the SWF over unsecure and with an absolute URL.  I'm trying to get relative URLs to work.  If browsing the site over SSL, the SWF should be sent over SSL too.
0
 
LVL 2

Accepted Solution

by:
Hossy earned 0 total points
ID: 33638150
Ok, I got it working.  Here was the problem and solution:

The server runs cPanel and cPanel's content protection system creates a .htaccess file as follows (only a portion shown):

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://hossy.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://hossy.com$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.hossy.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.hossy.com$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|swf)$ http://www.hossy.com/ [R,NC]

I changed it to this and now it works:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://hossy.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^https?://hossy.com$      [NC]
RewriteCond %{HTTP_REFERER} !^https?://www.hossy.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^https?://www.hossy.com$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|swf)$ https?://www.hossy.com/ [R,NC]
0
 
LVL 2

Author Comment

by:Hossy
ID: 33638296
For those interested, the regex done by cPanel is technically incorrect.  I simplified and corrected the regex to be:

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://(?:www\.)?hossy.com(?:/.*)?$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|swf)$ http://www.hossy.com/ [R,NC
0
 
LVL 2

Author Comment

by:Hossy
ID: 33638304
oops...

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://(?:www\.)?hossy.com(?:/.*)?$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|swf)$ http://www.hossy.com/ [R,NC]
0
 
LVL 2

Author Comment

by:Hossy
ID: 33638406
or...

RewriteCond %{HTTP_REFERER} !^(?:https?://(?:www\.)?hossy.com(?:/.*)?)?$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|swf)$ http://www.hossy.com/ [R,NC]
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Because your company can’t afford for you to make SEO mistakes, you’ll want to ensure you’re taking the right steps each and every time you post a new piece of content. This list of optimization do’s and don’ts can help you become an SEO wizard.
FAQ pages provide a simple way for you to supply and for customers to find answers to the most common questions about your company. Here are six reasons why your company website should have a FAQ page
The viewer will learn how to dynamically set the form action using jQuery.
The goal of the tutorial is to teach the user how to live broadcast using Flash Media Live Encoder and connecting it to YouTube to broadcast. Log into your Youtube account, choose live stream settings, start live stream from Flash Media Live Enc…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question