Hossy
asked on
Embedded Flash Show White Box When Viewing Over SSL
On my site, I have the code below (nothing fancy). If I view the site under HTTP, the flash displays. If I view the site under HTTPS, I get a white box where the SWF should show. However, if I browse to the SWF using HTTPS directly, the flash shows.
http://www.hossy.com/
https://www.hossy.com/
http://www.hossy.com/
https://www.hossy.com/
https://www.hossy.com/library/flash/comingsoon.swf
(copy/paste into a new tab)<div class="CoP" id="flash">
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0" width="550" height="400">
<param name="movie" value="library/flash/comingsoon.swf">
<param name="quality" value="high">
<embed src="library/flash/comingsoon.swf" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="550" height="400"></embed>
</object>
</div>
i had the same issue when attempting to use an image hosted on my website for my paypal secure page... my solution was to host my image on a host with an ssl security certificate installed... i used sslpic.com ... you might need to do something similar with your swf, or get an SSL certificate for your website
ASKER
I have an ssl cert installed, it's just self-signed
I've added the exception in my browser
I've added the exception in my browser
Does it make a difference when embedding it, than rather to write the relative URL, to write the complete URL in? Sadly, I haven't had a chance to work with SSL for any of my sites, so I'm not aware of any "rules" involved regarding embedding assets over secure connections.
Try out the attached code, and if that doesn't work, also try starting the SWF's url with "http://" to see if that is able to load properly.
Is a secure connection really needed on the front page of the site, or can you use "regular" http for all parts of the site except when logging in (or whatever you need the extra layer of security for).
Try out the attached code, and if that doesn't work, also try starting the SWF's url with "http://" to see if that is able to load properly.
Is a secure connection really needed on the front page of the site, or can you use "regular" http for all parts of the site except when logging in (or whatever you need the extra layer of security for).
<div class="CoP" id="flash">
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0" width="550" height="400">
<param name="movie" value="https://www.hossy.com/library/flash/comingsoon.swf">
<param name="quality" value="high">
<embed src="https://www.hossy.com/library/flash/comingsoon.swf" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="550" height="400"></embed>
</object>
</div>
I just thought of something, are you loading in any external images from inside of the SWF via ActionScript? There may be some "security conflicts" there.
ASKER
I wrote the SWF five years ago. I don't believe it is calling anything outside the SWF.
Also, I can't use the full URL because the site also does HTTP. The relative URL is so it's portable easily.
Also, I can't use the full URL because the site also does HTTP. The relative URL is so it's portable easily.
Ah, right... But could you use regular HTTP in the embed, and send the SWF over "unencrypted", even when using a secure connection? Or just try seeing if writing in the full URL works when in HTTPS, even if you don't keep the changes permanently.
I would recommend at least trying to mess around with the embed options a bit, as I'm pretty sure that is where the problem lies. If you right click the box, you will see that Flash Player has started up, but it is unable to load in your SWF.
I would recommend at least trying to mess around with the embed options a bit, as I'm pretty sure that is where the problem lies. If you right click the box, you will see that Flash Player has started up, but it is unable to load in your SWF.
ASKER
Sorry for the delay in my response, I honestly thought I'd already replied...
Here are the results of my tests:
I created two more versions of index.htm (index-http.htm and index-https.htm)
http://www.hossy.com/index-http.htm: works
http://www.hossy.com/index-https.htm: doesn't works
https://www.hossy.com/index-http.htm: works
https://www.hossy.com/index-https.htm: doesn't work
Again, I don't want to mix unencrypted data with encrypted data. This is just for illustration and troubleshooting.
Here are the results of my tests:
I created two more versions of index.htm (index-http.htm and index-https.htm)
http://www.hossy.com/index-http.htm: works
http://www.hossy.com/index-https.htm: doesn't works
https://www.hossy.com/index-http.htm: works
https://www.hossy.com/index-https.htm: doesn't work
Again, I don't want to mix unencrypted data with encrypted data. This is just for illustration and troubleshooting.
ASKER
Code attachment got lost...
index-http.htm:
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0" width="550" height="400">
<param name="movie" value="library/flash/comingsoon.swf">
<param name="quality" value="high">
<embed src="http://www.hossy.com/library/flash/comingsoon.swf" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="550" height="400"></embed>
</object>
index-https.htm:
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0" width="550" height="400">
<param name="movie" value="library/flash/comingsoon.swf">
<param name="quality" value="high">
<embed src="https://www.hossy.com/library/flash/comingsoon.swf" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="550" height="400"></embed>
</object>
Now why didn't I think of that? :P
You could even have it tell which one to use inside of PHP, automatically detecting if you are currently using HTTP or HTTPS and embedding it with the correct link depending on that.
You could even have it tell which one to use inside of PHP, automatically detecting if you are currently using HTTP or HTTPS and embedding it with the correct link depending on that.
Oh, sorry. Now I see what you mean.
As I may have said before, I'm no expert on SSL at all. But I'm going to take a guess that perhaps the nature of SSL forbids you to embed the secured data into a page. Instead, you are only allowed to access HTTPS pages or objects when specifically browsing to them? That would explain why this is happening at least.
Does the SWF you are loading contain any sensitive data that really must be sent over encrypted? Even if the SWF is sent over encrypted, if you have any forms inside of the SWF, they will NOT send data to the server in encrypted format unless specified within the actual AS code.
As I may have said before, I'm no expert on SSL at all. But I'm going to take a guess that perhaps the nature of SSL forbids you to embed the secured data into a page. Instead, you are only allowed to access HTTPS pages or objects when specifically browsing to them? That would explain why this is happening at least.
Does the SWF you are loading contain any sensitive data that really must be sent over encrypted? Even if the SWF is sent over encrypted, if you have any forms inside of the SWF, they will NOT send data to the server in encrypted format unless specified within the actual AS code.
ASKER
No, the SWF is really just an animation. The problem is, no matter what, I can't get the SWF to be viewed when viewing the site over SSL -- whether unencrypted or encrypted.
It seems like the "index-http.htm" page is working just fine for me both in HTTP and HTTPS.
Or are you still trying to get relative URLs working rather than absolute?
Or are you still trying to get relative URLs working rather than absolute?
ASKER
Yes, -http works with both HTTP and HTTPS, but only because the HTTPS site is loading the SWF over unsecure and with an absolute URL. I'm trying to get relative URLs to work. If browsing the site over SSL, the SWF should be sent over SSL too.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
For those interested, the regex done by cPanel is technically incorrect. I simplified and corrected the regex to be:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://(?:www\.)?hossy .com(?:/.* )?$ [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp| swf)$ http://www.hossy.com/ [R,NC
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://(?:www\.)?hossy
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|
ASKER
oops...
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://(?:www\.)?hossy .com(?:/.* )?$ [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp| swf)$ http://www.hossy.com/ [R,NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://(?:www\.)?hossy
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|
ASKER
or...
RewriteCond %{HTTP_REFERER} !^(?:https?://(?:www\.)?ho ssy.com(?: /.*)?)?$ [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp| swf)$ http://www.hossy.com/ [R,NC]
RewriteCond %{HTTP_REFERER} !^(?:https?://(?:www\.)?ho
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|