Home/ Questions/Q 7557007
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-30T12:00:48+00:00

I’ve been reading about the security restrictions for file uploads in Flash Player 10.

  • 0

I’ve been reading about the security restrictions for file uploads in Flash Player 10. According to the FileReference docs for upload(), the upload does not have to be triggered by a user-initiated action (the browse() does, but that’s another story). If it did, that would force an awkward user experience for multi-file uploads, since only one upload can occur at once — so the user would have to click (or press a button) once per file to initiate the upload, but only when the previous file had finished uploading.

The documentation for URLLoader.load(), on the other hand, states:

In Flash Player 10 and later, if you use a multipart Content-Type (for
example “multipart/form-data”) that contains an upload (indicated by a
“filename” parameter in a “content-disposition” header within the POST
body), the POST operation is subject to the security rules applied to
uploads:

The POST operation must be performed in response to a user-initiated
action, such as a mouse click or key press.

This Flash Security article corroborates the URLLoader documentation (see the “POST APIs” section).

The original whitepaper, however, does not state this — only that a FileReference browse must be in response to a user-initiated action, not the (potentially URLLoader-driven) upload itself:

When a SWF file uses the FileReference.browse() and
FileReference.upload() methods to upload a file to a server, Flash
Player enforces two security rules:

  • FileReference.browse() must be called from within a user-event handler (mouse or keyboard event).

[…]

Flash Player enforces these same rules any time a
networking API is called to perform a POST that appears to the server
to contain an upload.

As far as I can tell from actual use of the URLLoader API to upload a file, the uploads indeed don’t need to come from a user-initiated action; but, is this because I’m using a debug version of the player, or because the documentation is wrong? (Or something else?)

TL;DR: The documentation contains conflicting information, and I don’t trust my field tests (in the face of docs that say they shouldn’t work). Can URLLoader be used to upload a file without user interaction? Or only FileReference? (That would kill most file pre-processing possibilities, which is what I happen to be interested in doing!)

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You doesn’t got errors, because you are running in debug. Got the same problem while working on my speedtest project.
    So for the questions:

    • FileReference can’t upload files without user interaction.

    • URLLoader can’t upload files without user interaction if you are using POST, multipart/form-data and filename properties.

    • You can upload files with URLLoader if you are using content-type like application/octet-stream and putting the file body encoded (for example in base64) in you post request. That means, if you are using PHP, so you will work not with the $_FILES, but with the $_POST array, to get your file.

    • Working in debug mode on local machine, won’t trigger the URLLoader restriction error.

    • 0