Menu
I've been reading about the security restrictions for file uploads in Flash Player 10. According to the FileReference docs for upload(), the upload does not have to be triggered by a user-initiated action (the browse() does, but that's another story). If it did, that would force an awkward user experience for multi-file uploads, since only one upload can occur at once -- so the user would have to click (or press a button) once per file to initiate the upload, but only when the previous file had finished uploading.
The documentation for URLLoader.load(), on the other hand, states:
In Flash Player 10 and later, if you use a multipart Content-Type (for example "multipart/form-data") that contains an upload (indicated by a "filename" parameter in a "content-disposition" header within the POST body), the POST operation is subject to the security rules applied to uploads:
The POST operation must be performed in response to a user-initiated action, such as a mouse click or key press.
This Flash Security article corroborates the URLLoader documentation (see the "POST APIs" section).
The original whitepaper, however, does not state this -- only that a FileReference browse must be in response to a user-initiated action, not the (potentially URLLoader-driven) upload itself:
When a SWF file uses the FileReference.browse() and FileReference.upload() methods to upload a file to a server, Flash Player enforces two security rules:
- FileReference.browse() must be called from within a user-event handler (mouse or keyboard event).
[...]
Flash Player enforces these same rules any time a networking API is called to perform a POST that appears to the server to contain an upload.
As far as I can tell from actual use of the URLLoader API to upload a file, the uploads indeed don't need to come from a user-initiated action; but, is this because I'm using a debug version of the player, or because the documentation is wrong? (Or something else?)
TL;DR: The documentation contains conflicting information, and I don't trust my field tests (in the face of docs that say they shouldn't work). Can URLLoader be used to upload a file without user interaction? Or only FileReference? (That would kill most file pre-processing possibilities, which is what I happen to be interested in doing!)
805
You doesn't got errors, because you are running in debug. Got the same problem while working on my speedtest project.
So for the questions:
FileReference can't upload files without user interaction.
URLLoader can't upload files without user interaction if you are using POST, multipart/form-data and filename properties.
You can upload files with URLLoader if you are using content-type like application/octet-stream and putting the file body encoded (for example in base64) in you post request. That means, if you are using PHP, so you will work not with the $_FILES, but with the $_POST array, to get your file.
Working in debug mode on local machine, won't trigger the URLLoader restriction error.
52
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
