Solved

Embedded Flash Show White Box When Viewing Over SSL

Posted on 2010-08-21
17
762 Views
Last Modified: 2013-12-25
On my site, I have the code below (nothing fancy).  If I view the site under HTTP, the flash displays.  If I view the site under HTTPS, I get a white box where the SWF should show.  However, if I browse to the SWF using HTTPS directly, the flash shows.

http://www.hossy.com/
https://www.hossy.com/
https://www.hossy.com/library/flash/comingsoon.swf

Open in new window

(copy/paste into a new tab)

<div class="CoP" id="flash">

	<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0" width="550" height="400">

		<param name="movie" value="library/flash/comingsoon.swf">

		<param name="quality" value="high">

		<embed src="library/flash/comingsoon.swf" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="550" height="400"></embed>

	</object>

</div>

Open in new window

0
Comment
Question by:Hossy
  • 10
  • 6
17 Comments
 
LVL 5

Expert Comment

by:truromeo4juliet
ID: 33492688
i had the same issue when attempting to use an image hosted on my website for my paypal secure page... my solution was to host my image on a host with an ssl security certificate installed... i used sslpic.com ... you might need to do something similar with your swf, or get an SSL certificate for your website
0
 
LVL 2

Author Comment

by:Hossy
ID: 33492963
I have an ssl cert installed, it's just self-signed

I've added the exception in my browser
0
 
LVL 8

Expert Comment

by:IqAndreas
ID: 33493663
Does it make a difference when embedding it, than rather to write the relative URL, to write the complete URL in? Sadly, I haven't had a chance to work with SSL for any of my sites, so I'm not aware of any "rules" involved regarding embedding assets over secure connections.

Try out the attached code, and if that doesn't work, also try starting the SWF's url with "http://" to see if that is able to load properly.

Is a secure connection really needed on the front page of the site, or can you use "regular" http for all parts of the site except when logging in (or whatever you need the extra layer of security for).
<div class="CoP" id="flash">

	<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0" width="550" height="400">

		<param name="movie" value="https://www.hossy.com/library/flash/comingsoon.swf">

		<param name="quality" value="high">

		<embed src="https://www.hossy.com/library/flash/comingsoon.swf" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="550" height="400"></embed>

	</object>

</div>

Open in new window

0
 
LVL 8

Expert Comment

by:IqAndreas
ID: 33493669
I just thought of something, are you loading in any external images from inside of the SWF via ActionScript? There may be some "security conflicts" there.
0
 
LVL 2

Author Comment

by:Hossy
ID: 33493692
I wrote the SWF five years ago.  I don't believe it is calling anything outside the SWF.

Also, I can't use the full URL because the site also does HTTP.  The relative URL is so it's portable easily.
0
 
LVL 8

Expert Comment

by:IqAndreas
ID: 33493724
Ah, right... But could you use regular HTTP in the embed, and send the SWF over "unencrypted", even when using a secure connection? Or just try seeing if writing in the full URL works when in HTTPS, even if you don't keep the changes permanently.

I would recommend at least trying to mess around with the embed options a bit, as I'm pretty sure that is where the problem lies. If you right click the box, you will see that Flash Player has started up, but it is unable to load in your SWF.
0
 
LVL 2

Author Comment

by:Hossy
ID: 33607247
Sorry for the delay in my response, I honestly thought I'd already replied...

Here are the results of my tests:

I created two more versions of index.htm (index-http.htm and index-https.htm)

http://www.hossy.com/index-http.htm: works
http://www.hossy.com/index-https.htm: doesn't works
https://www.hossy.com/index-http.htm: works
https://www.hossy.com/index-https.htm: doesn't work

Again, I don't want to mix unencrypted data with encrypted data.  This is just for illustration and troubleshooting.
0
 
LVL 2

Author Comment

by:Hossy
ID: 33607252
Code attachment got lost...
index-http.htm:
        <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0" width="550" height="400">

                <param name="movie" value="library/flash/comingsoon.swf">

                <param name="quality" value="high">

                <embed src="http://www.hossy.com/library/flash/comingsoon.swf" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="550" height="400"></embed>

        </object>

index-https.htm:
        <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0" width="550" height="400">

                <param name="movie" value="library/flash/comingsoon.swf">

                <param name="quality" value="high">

                <embed src="https://www.hossy.com/library/flash/comingsoon.swf" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="550" height="400"></embed>

        </object>

Open in new window

0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 8

Expert Comment

by:IqAndreas
ID: 33609998
Now why didn't I think of that? :P

You could even have it tell which one to use inside of PHP, automatically detecting if you are currently using HTTP or HTTPS and embedding it with the correct link depending on that.
0
 
LVL 8

Expert Comment

by:IqAndreas
ID: 33610048
Oh, sorry. Now I see what you mean.

As I may have said before, I'm no expert on SSL at all. But I'm going to take a guess that perhaps the nature of SSL forbids you to embed the secured data into a page. Instead, you are only allowed to access HTTPS pages or objects when specifically browsing to them? That would explain why this is happening at least.

Does the SWF you are loading contain any sensitive data that really must be sent over encrypted? Even if the SWF is sent over encrypted, if you have any forms inside of the SWF, they will NOT send data to the server in encrypted format unless specified within the actual AS code.
0
 
LVL 2

Author Comment

by:Hossy
ID: 33612007
No, the SWF is really just an animation.  The problem is, no matter what, I can't get the SWF to be viewed when viewing the site over SSL -- whether unencrypted or encrypted.
0
 
LVL 8

Expert Comment

by:IqAndreas
ID: 33613561
It seems like the "index-http.htm" page is working just fine for me both in HTTP and HTTPS.

Or are you still trying to get relative URLs working rather than absolute?
0
 
LVL 2

Author Comment

by:Hossy
ID: 33637936
Yes, -http works with both HTTP and HTTPS, but only because the HTTPS site is loading the SWF over unsecure and with an absolute URL.  I'm trying to get relative URLs to work.  If browsing the site over SSL, the SWF should be sent over SSL too.
0
 
LVL 2

Accepted Solution

by:
Hossy earned 0 total points
ID: 33638150
Ok, I got it working.  Here was the problem and solution:

The server runs cPanel and cPanel's content protection system creates a .htaccess file as follows (only a portion shown):

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://hossy.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://hossy.com$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.hossy.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.hossy.com$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|swf)$ http://www.hossy.com/ [R,NC]

I changed it to this and now it works:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://hossy.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^https?://hossy.com$      [NC]
RewriteCond %{HTTP_REFERER} !^https?://www.hossy.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^https?://www.hossy.com$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|swf)$ https?://www.hossy.com/ [R,NC]
0
 
LVL 2

Author Comment

by:Hossy
ID: 33638296
For those interested, the regex done by cPanel is technically incorrect.  I simplified and corrected the regex to be:

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://(?:www\.)?hossy.com(?:/.*)?$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|swf)$ http://www.hossy.com/ [R,NC
0
 
LVL 2

Author Comment

by:Hossy
ID: 33638304
oops...

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://(?:www\.)?hossy.com(?:/.*)?$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|swf)$ http://www.hossy.com/ [R,NC]
0
 
LVL 2

Author Comment

by:Hossy
ID: 33638406
or...

RewriteCond %{HTTP_REFERER} !^(?:https?://(?:www\.)?hossy.com(?:/.*)?)?$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|swf)$ http://www.hossy.com/ [R,NC]
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Using SQL Scripts we can save all the SQL queries as files that we use very frequently on our database later point of time. This is one of the feature present under SQL Workshop in Oracle Application Express.
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
The viewer will learn how to count occurrences of each item in an array.
Any person in technology especially those working for big companies should at least know about the basics of web accessibility. Believe it or not there are even laws in place that require businesses to provide such means for the disabled and aging p…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now