Solved

Embedded Flash Show White Box When Viewing Over SSL

Posted on 2010-08-21
17
759 Views
Last Modified: 2013-12-25
On my site, I have the code below (nothing fancy).  If I view the site under HTTP, the flash displays.  If I view the site under HTTPS, I get a white box where the SWF should show.  However, if I browse to the SWF using HTTPS directly, the flash shows.

http://www.hossy.com/
https://www.hossy.com/
https://www.hossy.com/library/flash/comingsoon.swf

Open in new window

(copy/paste into a new tab)

<div class="CoP" id="flash">

	<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0" width="550" height="400">

		<param name="movie" value="library/flash/comingsoon.swf">

		<param name="quality" value="high">

		<embed src="library/flash/comingsoon.swf" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="550" height="400"></embed>

	</object>

</div>

Open in new window

0
Comment
Question by:Hossy
  • 10
  • 6
17 Comments
 
LVL 5

Expert Comment

by:truromeo4juliet
ID: 33492688
i had the same issue when attempting to use an image hosted on my website for my paypal secure page... my solution was to host my image on a host with an ssl security certificate installed... i used sslpic.com ... you might need to do something similar with your swf, or get an SSL certificate for your website
0
 
LVL 2

Author Comment

by:Hossy
ID: 33492963
I have an ssl cert installed, it's just self-signed

I've added the exception in my browser
0
 
LVL 8

Expert Comment

by:IqAndreas
ID: 33493663
Does it make a difference when embedding it, than rather to write the relative URL, to write the complete URL in? Sadly, I haven't had a chance to work with SSL for any of my sites, so I'm not aware of any "rules" involved regarding embedding assets over secure connections.

Try out the attached code, and if that doesn't work, also try starting the SWF's url with "http://" to see if that is able to load properly.

Is a secure connection really needed on the front page of the site, or can you use "regular" http for all parts of the site except when logging in (or whatever you need the extra layer of security for).
<div class="CoP" id="flash">

	<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0" width="550" height="400">

		<param name="movie" value="https://www.hossy.com/library/flash/comingsoon.swf">

		<param name="quality" value="high">

		<embed src="https://www.hossy.com/library/flash/comingsoon.swf" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="550" height="400"></embed>

	</object>

</div>

Open in new window

0
 
LVL 8

Expert Comment

by:IqAndreas
ID: 33493669
I just thought of something, are you loading in any external images from inside of the SWF via ActionScript? There may be some "security conflicts" there.
0
 
LVL 2

Author Comment

by:Hossy
ID: 33493692
I wrote the SWF five years ago.  I don't believe it is calling anything outside the SWF.

Also, I can't use the full URL because the site also does HTTP.  The relative URL is so it's portable easily.
0
 
LVL 8

Expert Comment

by:IqAndreas
ID: 33493724
Ah, right... But could you use regular HTTP in the embed, and send the SWF over "unencrypted", even when using a secure connection? Or just try seeing if writing in the full URL works when in HTTPS, even if you don't keep the changes permanently.

I would recommend at least trying to mess around with the embed options a bit, as I'm pretty sure that is where the problem lies. If you right click the box, you will see that Flash Player has started up, but it is unable to load in your SWF.
0
 
LVL 2

Author Comment

by:Hossy
ID: 33607247
Sorry for the delay in my response, I honestly thought I'd already replied...

Here are the results of my tests:

I created two more versions of index.htm (index-http.htm and index-https.htm)

http://www.hossy.com/index-http.htm: works
http://www.hossy.com/index-https.htm: doesn't works
https://www.hossy.com/index-http.htm: works
https://www.hossy.com/index-https.htm: doesn't work

Again, I don't want to mix unencrypted data with encrypted data.  This is just for illustration and troubleshooting.
0
 
LVL 2

Author Comment

by:Hossy
ID: 33607252
Code attachment got lost...
index-http.htm:
        <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0" width="550" height="400">

                <param name="movie" value="library/flash/comingsoon.swf">

                <param name="quality" value="high">

                <embed src="http://www.hossy.com/library/flash/comingsoon.swf" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="550" height="400"></embed>

        </object>

index-https.htm:
        <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0" width="550" height="400">

                <param name="movie" value="library/flash/comingsoon.swf">

                <param name="quality" value="high">

                <embed src="https://www.hossy.com/library/flash/comingsoon.swf" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="550" height="400"></embed>

        </object>

Open in new window

0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 8

Expert Comment

by:IqAndreas
ID: 33609998
Now why didn't I think of that? :P

You could even have it tell which one to use inside of PHP, automatically detecting if you are currently using HTTP or HTTPS and embedding it with the correct link depending on that.
0
 
LVL 8

Expert Comment

by:IqAndreas
ID: 33610048
Oh, sorry. Now I see what you mean.

As I may have said before, I'm no expert on SSL at all. But I'm going to take a guess that perhaps the nature of SSL forbids you to embed the secured data into a page. Instead, you are only allowed to access HTTPS pages or objects when specifically browsing to them? That would explain why this is happening at least.

Does the SWF you are loading contain any sensitive data that really must be sent over encrypted? Even if the SWF is sent over encrypted, if you have any forms inside of the SWF, they will NOT send data to the server in encrypted format unless specified within the actual AS code.
0
 
LVL 2

Author Comment

by:Hossy
ID: 33612007
No, the SWF is really just an animation.  The problem is, no matter what, I can't get the SWF to be viewed when viewing the site over SSL -- whether unencrypted or encrypted.
0
 
LVL 8

Expert Comment

by:IqAndreas
ID: 33613561
It seems like the "index-http.htm" page is working just fine for me both in HTTP and HTTPS.

Or are you still trying to get relative URLs working rather than absolute?
0
 
LVL 2

Author Comment

by:Hossy
ID: 33637936
Yes, -http works with both HTTP and HTTPS, but only because the HTTPS site is loading the SWF over unsecure and with an absolute URL.  I'm trying to get relative URLs to work.  If browsing the site over SSL, the SWF should be sent over SSL too.
0
 
LVL 2

Accepted Solution

by:
Hossy earned 0 total points
ID: 33638150
Ok, I got it working.  Here was the problem and solution:

The server runs cPanel and cPanel's content protection system creates a .htaccess file as follows (only a portion shown):

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://hossy.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://hossy.com$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.hossy.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.hossy.com$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|swf)$ http://www.hossy.com/ [R,NC]

I changed it to this and now it works:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://hossy.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^https?://hossy.com$      [NC]
RewriteCond %{HTTP_REFERER} !^https?://www.hossy.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^https?://www.hossy.com$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|swf)$ https?://www.hossy.com/ [R,NC]
0
 
LVL 2

Author Comment

by:Hossy
ID: 33638296
For those interested, the regex done by cPanel is technically incorrect.  I simplified and corrected the regex to be:

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://(?:www\.)?hossy.com(?:/.*)?$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|swf)$ http://www.hossy.com/ [R,NC
0
 
LVL 2

Author Comment

by:Hossy
ID: 33638304
oops...

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://(?:www\.)?hossy.com(?:/.*)?$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|swf)$ http://www.hossy.com/ [R,NC]
0
 
LVL 2

Author Comment

by:Hossy
ID: 33638406
or...

RewriteCond %{HTTP_REFERER} !^(?:https?://(?:www\.)?hossy.com(?:/.*)?)?$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|swf)$ http://www.hossy.com/ [R,NC]
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

The last time I worked with Flash and Socket connections was in AS1. A recent project required flash connecting to a Socket, and sending receiving information - we figured it would be easy enough - we all know about the socket policy documents and c…
Although it can be difficult to imagine, someday your child will have a career of his or her own. He or she will likely start a family, buy a home and start having their own children. So, while being a kid is still extremely important, it’s also …
In this tutorial viewers will learn how to create a basic shape tween animation in Flash including shape hints for smooth animation Open a new document in Flash: Draw a shape: Select another frame (how long you want the tween to be): Right click and…
The goal of the tutorial is to teach the user how to how to record live broadcast.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now