WIWTW: Bitmapdata.draw and RTMP Snapshotting
Its been a while since I’ve done a Why It Works That Way. My apologies, it has been a busy time working on the new Flash Player and doing lots of things for Adobe Max.
One of the questions I’ve gotten a few times has been about security and BitmapData.draw. In Flash Player there are restrictions on BitmapData.draw to prevent content theft. Recently, a “workaround” was found for the restriction on snapshotting RTMP content (streamed video). Unfortunately, one person’s workaround is another’s exploit or bug.
To maintain the protection on streamed content, the bug that enabled the workaround was closed as of Flash Player 9.0.115. However, the Flash Player and Flash Media Server teams recognize the benefits of the functionality and so we’ve created a way to keep the protections while allowing content owners to relax permissions when they want.
This new permissions system for RTMP snapshotting is a two-part solution. It requires a change in Flash Player and also a change in Flash Media Server. The change in player went out this week. On the same day, Adobe announced Flash Media Server 3. Content streamed through the new server can have a flag added that Flash Player 9.0.115 can recognize and then permit the snapshotting code to run.
I apologize for the inconvenience that you may experience during the time between Flash Player 9.0.115 launching and the launch of Flash Media Server 3, but I hope you agree that having the functionality as an actual supported feature is a good thing for building applications.
As a rule of thumb though, using workarounds for security or protection features is not a good idea. You can generally count on the workaround being closed in the next release of the player. The good news is that Adobe listens to its community and we try to provide new solutions that let you do what you want in a supported and safe way.
Future WIWTWs:
If there is a question you want me to ask about the inner workings of Flash Player or ActionScript, go to this page and submit a comment. I’d like to keep comments on this post relevant to the post itself.
Digg this!
December 8th, 2007 at 5:02 am
Thanks for descriptive answer! (Better late than never
But it is still a weird feature. If anyone would really want to record a streamed video, he can do a screen recording.
Some questions:
0) Where is the official info on RTMP (and other) video protection aspects in Flash?
1) Do FMS/RTMP users have to pay for FMS3 update to get that permissive flag?
2) Why permissive flag is not set by default?
3) Is flash player team going to add some kind of printscreen protection like DirectX does on Windows? If so, does it mean, other OSes, than Windows are “piracy suspected” by default?
(i don’t post to wiwtw page to let others see the questions)
Thanks in advance!
December 10th, 2007 at 9:18 am
Hi Justin,
I’m wondering is there a way to set that flag without fms? Because i’m not going anywhere with just streaming an flv.
Thanks in advance.
December 10th, 2007 at 7:34 pm
Hi Oleg and Pedro,
Thanks for your questions. let me try and answer them below.
Content protection info on adobe.com:
Kevin Towes, product manager for Flash Media Server wrote this article recently on the subject: http://www.adobe.com/devnet/flashmediaserver/articles/protecting_video _fms.html
I need to look around for more information. This isn’t an area I specifically cover.
Upgrades for FMS:
Flash Media Server has split in to two separate leveled products, one as a simple video streaming server and a the fully interactive version (plus video streaming) so that you can have just the parts of Flash Media Server that you need. For more info on upgrades see the following link.
http://www.adobe.com/products/flashmediaserver/
The reality is that you will most likely have to pay for an upgrade. This is because it is a new version of Flash Media Server with new features. The new flag is not a feature, it is just one of the many small fixes that go in during a product cycle.
Why the permissive flag is not set by default:
Setting the content flag to permissive by default would be a change in behavior from how things work now. Customers that expect the protection need to consciously choosing which videos they want to expose.
Screen capture blocking:
I doubt we would ever see that in Flash Player. Our compositing model is very different from technologies that have implemented it. Also, most of the hardware approaches have had issues with repainting when the parent object (the browser) is moved. There are also a large number of issues around multi-screen display in this scenario.
December 11th, 2007 at 1:13 am
Hey Justin thx for the answer, but however you didn’t tell me how to make my video content ’snapshotable’ as it is now with the new flash player by default any flv that i have is not accessible by bitmapdraw.
I don’t want to use FMS for all my video content, because A) some of it requires offline viewing, and B) most of it are small clips that are just made for being captured.
TIA.
December 11th, 2007 at 2:19 pm
Pedro,
If you are using draw on a progressive video it should work provided your SWF and the video files are within the same domain. Cross-site sampling on progressive content (SWF, FLV, jpg, png, etc.) remains unchanged.
December 12th, 2007 at 12:40 am
Not only it doesn’t work under the same domain it doesn’t work locally, hence me asking
December 12th, 2007 at 12:42 pm
Thanks for the info! I’ve been tearing my hair out regarding this, as I used the workaround in the past, and it’s stopped working, and thus breaking my application! Now I see why…
I understand the thought behind this change, but I do have a question though: Is there anywhere that we can download legacy versions of flash player 9? It’s imperative that I take snapshots of live RTMP streams for my job. This change has completely killed my previously working software. I’m not concerned about others being able to steal content as of now, since all this is done internally (ie behind out firewall) at this point in time.
So is there anywhere that I could get my hands on a version of flash player that’s earlier than 9.0.115? Once FMS3 comes out, we’ll be upgrading to it, but until then…
If not, is there a way to ‘trick’ the latest player into thinking that this flag has been set and the stream is ‘grabable’? Of course if you don’t want to post that here, feel free to email me directly..
Thanks for the info and your help!!
K.
December 18th, 2007 at 5:21 am
any news about that ?
As Pedro said, BitmapData.draw() does not work anymore on progressive download flvs, even if they are on the same domain :
http://www.mysite.com/player.swf playing http://www.mysite.com/video.flv => Error #2123: Security sandbox violation : BitmapData.draw : http://www.mysite.com/player.swf cannot access unknown URL…
any help is welcome !
thanks
December 18th, 2007 at 11:49 am
Hi,
Just have the same problem as Alex. I play locally a progressive flv and I got the 2123 error.
If anybody has found a work around for progressive flv on same domain please tell us.
Thanks in advance.
December 31st, 2007 at 5:28 pm
I’m running into the same security issues w/ progressive FLV playback. Any updates as to why this may be happening and how we can resolve it?
January 3rd, 2008 at 2:41 pm
Here is a description of what I’m running into:
I am using papervision3d to project flv progressive videos onto 3d objects, using NetStream and http, in AIR. I want to switch the source on that stream on a click. What happens now is that after 4 switches, the stream no longer gets the new flv (these are NOT local flvs, they are regular, hosted, public flvs). So if i want to create a 3d rich media RSS reader, i can’t. Is this illegal? am i stealing syndicated content that i can download through a browser anyway? basicaly, the restriction on bitmap.draw/netstream/http is killing the most exciting area of AIR development out there. Am i missing something, am i doing something wrong? And yes, to quote: “If you are using draw on a progressive video it should work provided your SWF and the video files are within the same domain. Cross-site sampling on progressive content (SWF, FLV, jpg, png, etc.) remains unchanged.” What about AIR?
Any help would be greatly appreciated on this
Thanks,
AK
January 4th, 2008 at 10:42 am
[…] long term thinking… OK, the code was a mess. You can read the details of the subject here. I hope to have these presentations fixed […]
January 13th, 2008 at 9:03 am
Thanks for Work, good achievement
January 17th, 2008 at 2:08 am
This version of flashplayer will kill me !!!
January 17th, 2008 at 2:38 am
We have the same problem as Ando: the 9.0.115 draw restriction on progressive FLVs hosted on the same domain as the SWF is causing us a lot of problems…
Justin any chance this problem will be corrected in the next release ?
January 28th, 2008 at 3:51 am
We used that workaround and it stopped working with 9.0.115. We are just starting with FM3 and I am looking where that permissive flag should be set, where should I look for it in the documentation?
Thanks in advance
G
January 29th, 2008 at 7:12 pm
thanks for the info.
January 29th, 2008 at 7:15 pm
thanks for the work around on this,
January 30th, 2008 at 1:14 pm
DEMO videos, FF/Win?
DEMO videos, FF/Win? I’m trying to chase down this warning dialog… can you help? The videos from the DEMO conference have a warning message: “Attention Firefox users: BG LiveBroadcast is currently not supported on Firefox for Windows. Please use IE…
February 29th, 2008 at 7:37 am
I don’t want to use FMS for all my video content, because A) some of it requires offline viewing, and B) most of it are small clips that are just made for being captured.
February 29th, 2008 at 10:49 am
[…] February 28, 2008: Progressive FLV Snapshotting Issue (Not a Bug) December 7, 2007: WIWTW: Bitmapdata.draw and RTMP Snapshotting […]
March 1st, 2008 at 6:11 am
DEMO videos, FF/Win? I’m trying to chase down this warning dialog… can you help? The videos from the DEMO conference have a warning message: “Attention Firefox users: BG LiveBroadcast is currently not supported on Firefox for Windows. Please use IE…
March 5th, 2008 at 2:58 pm
DEMO videos is what they call them these days?
March 13th, 2008 at 12:22 pm
Adobe Air 1.0 application displays an rtmp mp4 stream from FMS3. I’m trying to capture a frame of video with BitmapData.draw and get a security sandbox violoation. I have added / to my Application.xml and I’ve also tried setting the client property in the main.asc. Neither seem to work. (I’m able to stream the video w/o issue - just the BitmapData.draw throws and exception.)
What do I need to do to make this work?
March 13th, 2008 at 12:24 pm
here’s the application.xml tag I’m using
<VideoSampleAccess enabled=”true”>/</VideoSampleAccess>
March 20th, 2008 at 8:53 am
Any DEMOs ?
March 26th, 2008 at 9:50 pm
I’m getting a very odd problem when using live/off-line RTMP with video textures using FMS 3.0. I have done all of the necessary configurations on the server-side to allow client SWFs to copy NetStream frames into Papervision texture buffers. This works initially, but when I seek the connected stream or hit the end of the video I get a sandbox violation as if the videoSampleAccess =”/” state was never set on the server side. If I do not seek or reach the end of the video everything works perfectly. This geeks out in the 3D render-loop — could the stream object be in some undefined state during a seek which causes the texture copy to throw a sandbox violation?
Also, I have been unable to get either the built-in live or vod streaming applications to work using the / in configuration xml. I have to use a custom main.asc to permit client-side copy of the stream (client.videoSampleAccess = “/”). This system is based on the Flash 9 build 115(movie star)and FMS 3.0, so it should work right?
Am I doing something dumb? Has anyone seen anything similar? Could it be paranormal? Any ideas?
Thanks in advance!
April 5th, 2008 at 8:01 am
Right. I tried to use the bitmapdata.draw (video) function, I think it´s really great.