Embedded Flash Show White Box When Viewing Over SSL

On my site, I have the code below (nothing fancy).  If I view the site under HTTP, the flash displays.  If I view the site under HTTPS, I get a white box where the SWF should show.  However, if I browse to the SWF using HTTPS directly, the flash shows.

http://www.hossy.com/
https://www.hossy.com/
https://www.hossy.com/library/flash/comingsoon.swf

Open in new window

(copy/paste into a new tab)

<div class="CoP" id="flash">

	<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0" width="550" height="400">

		<param name="movie" value="library/flash/comingsoon.swf">

		<param name="quality" value="high">

		<embed src="library/flash/comingsoon.swf" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="550" height="400"></embed>

	</object>

</div>

Open in new window

LVL 2
HossyAsked:
Who is Participating?
 
HossyConnect With a Mentor Author Commented:
Ok, I got it working.  Here was the problem and solution:

The server runs cPanel and cPanel's content protection system creates a .htaccess file as follows (only a portion shown):

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://hossy.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://hossy.com$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.hossy.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.hossy.com$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|swf)$ http://www.hossy.com/ [R,NC]

I changed it to this and now it works:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://hossy.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^https?://hossy.com$      [NC]
RewriteCond %{HTTP_REFERER} !^https?://www.hossy.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^https?://www.hossy.com$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|swf)$ https?://www.hossy.com/ [R,NC]
0
 
truromeo4julietCommented:
i had the same issue when attempting to use an image hosted on my website for my paypal secure page... my solution was to host my image on a host with an ssl security certificate installed... i used sslpic.com ... you might need to do something similar with your swf, or get an SSL certificate for your website
0
 
HossyAuthor Commented:
I have an ssl cert installed, it's just self-signed

I've added the exception in my browser
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
IqAndreasCommented:
Does it make a difference when embedding it, than rather to write the relative URL, to write the complete URL in? Sadly, I haven't had a chance to work with SSL for any of my sites, so I'm not aware of any "rules" involved regarding embedding assets over secure connections.

Try out the attached code, and if that doesn't work, also try starting the SWF's url with "http://" to see if that is able to load properly.

Is a secure connection really needed on the front page of the site, or can you use "regular" http for all parts of the site except when logging in (or whatever you need the extra layer of security for).
<div class="CoP" id="flash">

	<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0" width="550" height="400">

		<param name="movie" value="https://www.hossy.com/library/flash/comingsoon.swf">

		<param name="quality" value="high">

		<embed src="https://www.hossy.com/library/flash/comingsoon.swf" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="550" height="400"></embed>

	</object>

</div>

Open in new window

0
 
IqAndreasCommented:
I just thought of something, are you loading in any external images from inside of the SWF via ActionScript? There may be some "security conflicts" there.
0
 
HossyAuthor Commented:
I wrote the SWF five years ago.  I don't believe it is calling anything outside the SWF.

Also, I can't use the full URL because the site also does HTTP.  The relative URL is so it's portable easily.
0
 
IqAndreasCommented:
Ah, right... But could you use regular HTTP in the embed, and send the SWF over "unencrypted", even when using a secure connection? Or just try seeing if writing in the full URL works when in HTTPS, even if you don't keep the changes permanently.

I would recommend at least trying to mess around with the embed options a bit, as I'm pretty sure that is where the problem lies. If you right click the box, you will see that Flash Player has started up, but it is unable to load in your SWF.
0
 
HossyAuthor Commented:
Sorry for the delay in my response, I honestly thought I'd already replied...

Here are the results of my tests:

I created two more versions of index.htm (index-http.htm and index-https.htm)

http://www.hossy.com/index-http.htm: works
http://www.hossy.com/index-https.htm: doesn't works
https://www.hossy.com/index-http.htm: works
https://www.hossy.com/index-https.htm: doesn't work

Again, I don't want to mix unencrypted data with encrypted data.  This is just for illustration and troubleshooting.
0
 
HossyAuthor Commented:
Code attachment got lost...
index-http.htm:
        <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0" width="550" height="400">

                <param name="movie" value="library/flash/comingsoon.swf">

                <param name="quality" value="high">

                <embed src="http://www.hossy.com/library/flash/comingsoon.swf" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="550" height="400"></embed>

        </object>

index-https.htm:
        <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0" width="550" height="400">

                <param name="movie" value="library/flash/comingsoon.swf">

                <param name="quality" value="high">

                <embed src="https://www.hossy.com/library/flash/comingsoon.swf" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="550" height="400"></embed>

        </object>

Open in new window

0
 
IqAndreasCommented:
Now why didn't I think of that? :P

You could even have it tell which one to use inside of PHP, automatically detecting if you are currently using HTTP or HTTPS and embedding it with the correct link depending on that.
0
 
IqAndreasCommented:
Oh, sorry. Now I see what you mean.

As I may have said before, I'm no expert on SSL at all. But I'm going to take a guess that perhaps the nature of SSL forbids you to embed the secured data into a page. Instead, you are only allowed to access HTTPS pages or objects when specifically browsing to them? That would explain why this is happening at least.

Does the SWF you are loading contain any sensitive data that really must be sent over encrypted? Even if the SWF is sent over encrypted, if you have any forms inside of the SWF, they will NOT send data to the server in encrypted format unless specified within the actual AS code.
0
 
HossyAuthor Commented:
No, the SWF is really just an animation.  The problem is, no matter what, I can't get the SWF to be viewed when viewing the site over SSL -- whether unencrypted or encrypted.
0
 
IqAndreasCommented:
It seems like the "index-http.htm" page is working just fine for me both in HTTP and HTTPS.

Or are you still trying to get relative URLs working rather than absolute?
0
 
HossyAuthor Commented:
Yes, -http works with both HTTP and HTTPS, but only because the HTTPS site is loading the SWF over unsecure and with an absolute URL.  I'm trying to get relative URLs to work.  If browsing the site over SSL, the SWF should be sent over SSL too.
0
 
HossyAuthor Commented:
For those interested, the regex done by cPanel is technically incorrect.  I simplified and corrected the regex to be:

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://(?:www\.)?hossy.com(?:/.*)?$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|swf)$ http://www.hossy.com/ [R,NC
0
 
HossyAuthor Commented:
oops...

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://(?:www\.)?hossy.com(?:/.*)?$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|swf)$ http://www.hossy.com/ [R,NC]
0
 
HossyAuthor Commented:
or...

RewriteCond %{HTTP_REFERER} !^(?:https?://(?:www\.)?hossy.com(?:/.*)?)?$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|swf)$ http://www.hossy.com/ [R,NC]
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.