Not too long ago, Adobe launched Flash Player 10. Hooray, party! But not everything is well in this new flashplayer. I believe this is the first flash player which actually breaks old flash apps. This is because Adobe tightened the security with this new version even further.  Now, I am aware that security is necessary for a plugin like flash. But there’s one measure I can’t figure out.

Any browse or save as dialog can only be triggered by user input (keyboard or mouse(click)). And this makes sense, you don’t want an ad to popup thousands of ‘browse’ windows. But I cannot see why this same security measure is taken for doing a multipart request. Why sould user interaction be needed to upload, say a bytearray, to the server. This bytearray could easily be generated from a bitmap(data), so no browse for file window is needed.

This error came up in an application which displays a small photo. The user can upload a photo to the server. This server is somehow not capable of resizing images, so the uploaded image is downloaded to the flash again, resized in flash and send as a bytearray to the server again.

This worked perfectly in FP < 10, but now, there has to be some interaction to do the second upload. We worked around this by having a small popup asking the user if the uploaded picture is the correct one. Works also, but it’s just a work-around, not a solution.

I talked about this issue with James Ward of Adobe, and he also didn’t see why this security has been taken. So, I’ve created a feature request in the bug system of adobe, located at https://bugs.adobe.com/jira/browse/FP-978. Please vote if you think this is a ridiculous security measure and should be removed!

Thanks!