Its been a while since I’ve done a Why It Works That Way. My apologies, it has been a busy time working on the new Flash Player and doing lots of things for Adobe Max.
One of the questions I’ve gotten a few times has been about security and BitmapData.draw. In Flash Player there are restrictions on BitmapData.draw to prevent content theft. Recently, a “workaround” was found for the restriction on snapshotting RTMP content (streamed video). Unfortunately, one person’s workaround is another’s exploit or bug.
To maintain the protection on streamed content, the bug that enabled the workaround was closed as of Flash Player 9.0.115. However, the Flash Player and Flash Media Server teams recognize the benefits of the functionality and so we’ve created a way to keep the protections while allowing content owners to relax permissions when they want.
This new permissions system for RTMP snapshotting is a two-part solution. It requires a change in Flash Player and also a change in Flash Media Server. The change in player went out this week. On the same day, Adobe announced Flash Media Server 3. Content streamed through the new server can have a flag added that Flash Player 9.0.115 can recognize and then permit the snapshotting code to run.
I apologize for the inconvenience that you may experience during the time between Flash Player 9.0.115 launching and the launch of Flash Media Server 3, but I hope you agree that having the functionality as an actual supported feature is a good thing for building applications.
As a rule of thumb though, using workarounds for security or protection features is not a good idea. You can generally count on the workaround being closed in the next release of the player. The good news is that Adobe listens to its community and we try to provide new solutions that let you do what you want in a supported and safe way.
Future WIWTWs:
If there is a question you want me to ask about the inner workings of Flash Player or ActionScript, go to this page and submit a comment. I’d like to keep comments on this post relevant to the post itself.
Thanks for descriptive answer! (Better late than never
But it is still a weird feature. If anyone would really want to record a streamed video, he can do a screen recording.
Some questions:
0) Where is the official info on RTMP (and other) video protection aspects in Flash?
1) Do FMS/RTMP users have to pay for FMS3 update to get that permissive flag?
2) Why permissive flag is not set by default?
3) Is flash player team going to add some kind of printscreen protection like DirectX does on Windows? If so, does it mean, other OSes, than Windows are “piracy suspected” by default?
(i don’t post to wiwtw page to let others see the questions)
Thanks in advance!
Hi Justin,
I’m wondering is there a way to set that flag without fms? Because i’m not going anywhere with just streaming an flv.
Thanks in advance.
Hi Oleg and Pedro,
Thanks for your questions. let me try and answer them below.
Content protection info on adobe.com:
Kevin Towes, product manager for Flash Media Server wrote this article recently on the subject: http://www.adobe.com/devnet/flashmediaserver/articles/protecting_video_fms.html
I need to look around for more information. This isn’t an area I specifically cover.
Upgrades for FMS:
Flash Media Server has split in to two separate leveled products, one as a simple video streaming server and a the fully interactive version (plus video streaming) so that you can have just the parts of Flash Media Server that you need. For more info on upgrades see the following link.
http://www.adobe.com/products/flashmediaserver/
The reality is that you will most likely have to pay for an upgrade. This is because it is a new version of Flash Media Server with new features. The new flag is not a feature, it is just one of the many small fixes that go in during a product cycle.
Why the permissive flag is not set by default:
Setting the content flag to permissive by default would be a change in behavior from how things work now. Customers that expect the protection need to consciously choosing which videos they want to expose.
Screen capture blocking:
I doubt we would ever see that in Flash Player. Our compositing model is very different from technologies that have implemented it. Also, most of the hardware approaches have had issues with repainting when the parent object (the browser) is moved. There are also a large number of issues around multi-screen display in this scenario.
Hey Justin thx for the answer, but however you didn’t tell me how to make my video content ‘snapshotable’ as it is now with the new flash player by default any flv that i have is not accessible by bitmapdraw.
I don’t want to use FMS for all my video content, because A) some of it requires offline viewing, and B) most of it are small clips that are just made for being captured.
TIA.
Pedro,
If you are using draw on a progressive video it should work provided your SWF and the video files are within the same domain. Cross-site sampling on progressive content (SWF, FLV, jpg, png, etc.) remains unchanged.
Not only it doesn’t work under the same domain it doesn’t work locally, hence me asking
Thanks for the info! I’ve been tearing my hair out regarding this, as I used the workaround in the past, and it’s stopped working, and thus breaking my application! Now I see why…
I understand the thought behind this change, but I do have a question though: Is there anywhere that we can download legacy versions of flash player 9? It’s imperative that I take snapshots of live RTMP streams for my job. This change has completely killed my previously working software. I’m not concerned about others being able to steal content as of now, since all this is done internally (ie behind out firewall) at this point in time.
So is there anywhere that I could get my hands on a version of flash player that’s earlier than 9.0.115? Once FMS3 comes out, we’ll be upgrading to it, but until then…
If not, is there a way to ‘trick’ the latest player into thinking that this flag has been set and the stream is ‘grabable’? Of course if you don’t want to post that here, feel free to email me directly..
Thanks for the info and your help!!
K.
any news about that ?
As Pedro said, BitmapData.draw() does not work anymore on progressive download flvs, even if they are on the same domain :
http://www.mysite.com/player.swf playing http://www.mysite.com/video.flv => Error #2123: Security sandbox violation : BitmapData.draw : http://www.mysite.com/player.swf cannot access unknown URL…
any help is welcome !
thanks
Hi,
Just have the same problem as Alex. I play locally a progressive flv and I got the 2123 error.
If anybody has found a work around for progressive flv on same domain please tell us.
Thanks in advance.
I’m running into the same security issues w/ progressive FLV playback. Any updates as to why this may be happening and how we can resolve it?
Here is a description of what I’m running into:
I am using papervision3d to project flv progressive videos onto 3d objects, using NetStream and http, in AIR. I want to switch the source on that stream on a click. What happens now is that after 4 switches, the stream no longer gets the new flv (these are NOT local flvs, they are regular, hosted, public flvs). So if i want to create a 3d rich media RSS reader, i can’t. Is this illegal? am i stealing syndicated content that i can download through a browser anyway? basicaly, the restriction on bitmap.draw/netstream/http is killing the most exciting area of AIR development out there. Am i missing something, am i doing something wrong? And yes, to quote: “If you are using draw on a progressive video it should work provided your SWF and the video files are within the same domain. Cross-site sampling on progressive content (SWF, FLV, jpg, png, etc.) remains unchanged.” What about AIR?
Any help would be greatly appreciated on this
Thanks,
AK
Pingback: Damn You Flash Player 9.0.115.0 » SOME RANDOM DUDE
Thanks for Work, good achievement
This version of flashplayer will kill me !!!
We have the same problem as Ando: the 9.0.115 draw restriction on progressive FLVs hosted on the same domain as the SWF is causing us a lot of problems…
Justin any chance this problem will be corrected in the next release ?
We used that workaround and it stopped working with 9.0.115. We are just starting with FM3 and I am looking where that permissive flag should be set, where should I look for it in the documentation?
Thanks in advance
G
thanks for the info.
thanks for the work around on this,
Pingback: JD on EP
I don’t want to use FMS for all my video content, because A) some of it requires offline viewing, and B) most of it are small clips that are just made for being captured.
Pingback: Justin’s Flash Blog » Progressive FLV Snapshotting Issue (Not a Bug)
DEMO videos, FF/Win? I’m trying to chase down this warning dialog… can you help? The videos from the DEMO conference have a warning message: “Attention Firefox users: BG LiveBroadcast is currently not supported on Firefox for Windows. Please use IE…
DEMO videos is what they call them these days?
Adobe Air 1.0 application displays an rtmp mp4 stream from FMS3. I’m trying to capture a frame of video with BitmapData.draw and get a security sandbox violoation. I have added / to my Application.xml and I’ve also tried setting the client property in the main.asc. Neither seem to work. (I’m able to stream the video w/o issue – just the BitmapData.draw throws and exception.)
What do I need to do to make this work?
here’s the application.xml tag I’m using
<VideoSampleAccess enabled=”true”>/</VideoSampleAccess>
Any DEMOs ?
I’m getting a very odd problem when using live/off-line RTMP with video textures using FMS 3.0. I have done all of the necessary configurations on the server-side to allow client SWFs to copy NetStream frames into Papervision texture buffers. This works initially, but when I seek the connected stream or hit the end of the video I get a sandbox violation as if the videoSampleAccess =”/” state was never set on the server side. If I do not seek or reach the end of the video everything works perfectly. This geeks out in the 3D render-loop — could the stream object be in some undefined state during a seek which causes the texture copy to throw a sandbox violation?
Also, I have been unable to get either the built-in live or vod streaming applications to work using the / in configuration xml. I have to use a custom main.asc to permit client-side copy of the stream (client.videoSampleAccess = “/”). This system is based on the Flash 9 build 115(movie star)and FMS 3.0, so it should work right?
Am I doing something dumb? Has anyone seen anything similar? Could it be paranormal? Any ideas?
Thanks in advance!
Right. I tried to use the bitmapdata.draw (video) function, I think it´s really great.