Vimeo highly vulnerable to CSRF attacks – now fixed
I recently found, that vimeo.com had a cross-domain policy, that allowed anyone to connect, which was an open invitation for CSRF attacks. I alerted them to the issue, and it has now been fixed.
My life with ActionScript, JavaScript and their families
I recently found, that vimeo.com had a cross-domain policy, that allowed anyone to connect, which was an open invitation for CSRF attacks. I alerted them to the issue, and it has now been fixed.
The twenty-first idea for my 365 social ideas is another gaming idea: create a set of classic flash-based games along the lines of break-out, tetris etc, but integrate a simple storyline with good and bad characters, places and items involved and make these configurable. You could through this create a game of your own life by inserting persons from your surroundings, places where you meet, stuff that you work with etc. and you could send this game to your friends and family and they could then play out the big game of your life.
I was playing around with E4X last night working on an upcoming blog post about the capabilities of E4X. While playing, I was thoroughly reading the ECMA-357 standard, and found that there are some special rules about assignment and compound assignment, that produce truely unexpected results.
I will try to summarize common pitfalls and provide valid work-arounds.
As part of a larger project, I noticed an annoying thing, that kept consequently crashing Flash CS4 (on a Mac OS X Intel 10.6.1): Whenever I tried to copy or cut this one symbol from the stage (to place it in another layer), Flash crashed completely.
There were many conditions, that could have been the cause of this, but I managed to boil it down to something reportable.
I finally got the time to clean up the code for MXHR4AS3 – an implementation of the Digg-introduced concept of requesting several files from the server in one request and returning it as a multipart/mixed http response to reduce overhead. The original was implemented in JS, and I have further re-implemented it in AS3.
As promised, the code has been uploaded to Bitbucket. Please enjoy and by all means request access if necessary. Please refer to the new project page here for details.
After having read about and experimented with Digg’s MXHR concept and DUI.Stream, I have now implemented the very same thing for ActionScript 3. In my tests it really shows a performance-boost over conventional queued download.
6 comments » | API, AS3, Trends
The truth be told, us ActionScript programmers have always had it easy when it came to creating real-time, multi-user applications. We might not have had much processing power back then, but as early as Flash 5 introduced back in 2000, we got the XMLSocket object, which enabled a whole series of multi-user-applications like isometric chat worlds etc. This leaves us JavaScript programmers a bit stranded. We do have Comet and similar technologies, but true persistent connections, we have never had – unless we used a Flash object in the document somewhere, but who wants to use Flash anyway?
But with the dawn of HTML 5, this worry is irrelevant, because with HTML 5 and the greatly improved JavaScript API, we also get a brand new Web Sockets API. This will have the same basic low-level access to bi-directional communication as ActionScript got with the XMLSocket API – it wasn’t XML only, it was just the (widely used) default transport method, but it could easily be circumvented.
Quite stunning though, how such a simple mechanism arrives in JavaScript 10 years later than it did in ActionScript!
I have been doing ActionScript 3 projects for quite a while, but every now and then I (as well as many others in the trade) have to switch back to AS2 or even AS1 – the line between them is quite blurry really in retrospective. When doing AS3 projects, there are many features that really come in handy, but it is only when you don’t have them available, that you really find out which are the true improvements, that you cannot live without, and which are just nice little tweaks, that make your everyday scripting easier.
The latter category includes e.g. the for-each-in construct, different number types, class introspection or built-in class look-up by string, but these are my top 6 AS3 features, that I find myself constantly missing when fixing or improving scripts in older versions of ActionScript:
3 comments » | AS2, AS3, Lists
Sys-Con Media has again and again tried to spread libel about Aral Balkan because he originally bad-mouthed them on Twitter and in other places, because they stole an article from him and claimed his endorsement of their products and services. Apparently they continue to try and spread rumors about him and recently Turks in general.
I will try to explain my views about best-practice Flash development for rapid prototyping – and why Soft Coding and Scripted Layout is bad for everyone. The argumentation is partly based on this article from Daily WTF, that I have enjoyed and recommended to any and all developers. But when it comes to Flash a whole other possibility of Soft Coding comes into play, namely Scripted Layout, which is the practice of adding items to stage in script only with position, sizes and other parameters specified in script or external sources (e.g. XML, database or other source). Scripted Layout is a terrible waste of time and effort and completely undermines the power and flexibility of Flash turning it into a language-wise weaker version of more mature (but graphically challenged) programming environments like C# or Java.