incubator-flex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Harui <>
Subject Re: Signed RSL from Apache
Date Mon, 20 Feb 2012 19:18:19 GMT

On 2/20/12 9:26 AM, "Bertrand Delacretaz" <> wrote:

> Hi Omar,
> On Mon, Feb 20, 2012 at 8:56 AM, Omar Gonzalez
> <> wrote:
> In the case of RSLs I assume signatures are checked by the client,
> what are the requirements for that?
RSL signatures are checked by the Flash Player.

Flash is a zero-install download-sensitive technology.  You hit a web-page
and your app starts streaming in and as soon as you get enough code
downloaded, you can start displaying UI, even while the rest of the code
gets downloaded.

Flex does not leverage that aspect of Flash.  Like Java, it has code
libraries which can be substantial in size.   Unlike Java, it does not
supported class loading on the fly.  You have to preload the code before
making access to a class.

RSLs are essentially JARs that you preload.  You can then see that if the
download size is significant, you don't want each app to have to re-download
the RSLs.

A central location is helpful, but that central server can be far away from
the user.  Mirrors don't help completely because the Flash security model
cares about the domain name serving the file.  If you put the signature you
are looking for in the application binary, it can also be hacked.  Browser
caches get flushed.  A rogue swf on the same domain serving a swf can
cross-script the RSL.

There is no perfect solution, but what the player does is check exclusively
for Adobe's signature and caches a file by signature in a non-browser cache,
and allows you to load that file into your security context (but not other
non-signed files from the same domain originally serving that file).

I don't see Adobe changing its position on this for now, so Apache Flex
needs to decide what to do given that.  Relying on browser caching is about
as good as you can do.  You will be exposed to man-in-the-middle.  I don't
think we can find a way to know that a file downloaded from one mirror is
the same as one coming from another mirror without downloading it in the
first place.

Also note that many large apps seem to have given up on RSLs because they've
had to hack the classes in the RSLs to fix bugs.

IMHO, RSLs are a temporary hack to a problem of having large amounts of
intertwined classes in the framework.  I have a prototype of a framework
that leverage the zero-install capability of Flash much better, which should
eliminate the need for RSLs.

Alex Harui
Flex SDK Team
Adobe Systems, Inc.

View raw message