Saturday, September 27th, 2008

Flash 10 and the bad news for JavaScript interaction

Category: Accessibility, Adobe, Flash, Security

Right now you can use Flash to work around a lot of JavaScript limitations and many products use an invisible Flash movie to for example batch upload files (Flickr, WordPress), play movies in a screenreader accessible manner (with DHTML controls outside the main movie – Yahoo Video, for example) or automatically add content to the browser clipboard (

All of these will cease to work without user interaction in flash as reported on the adobe devnet. There are very good reasons for it as explained by Lee Brimelow but it is a real problem that will cease to make Flash a useful tool to patch inaccessible solutions.

As long as you cannot access a Flash movie in non-Internet Explorer browsers via keyboard, there will be no such thing as an accessible flash page. Research findings presented at Scripting Enabled last week showed that for example many screen reader users skip Flash as soon as they hear that there is a movie on the page, regardless of how much effort you put in to make the movie itself keyboard enabled. DHTML controls worked around that issue – a button that cannot be accessed is very secure, but also pointless.

There must be some middle ground there somewhere…

Posted by Chris Heilmann at 4:11 pm

4.3 rating from 54 votes


Comments feed TrackBack URI

This is totally BAD news.
Does this mean that great pieces of software like SWFUpload will be broken under Flash 10? C’mon Adobe, you can’t do that!!

Comment by zeno — September 27, 2008

yes zeno swfupload doesnt work in flash 10. its been on their forum for quite some time. there are some workarounds though, you can use a flash button / image to start the file dialog, or there’s a way to overlay a div on top of it. so for most purposes it will do the job.

to be honest i’ve never been happy with using flash to upload files. for me it doesnt work perfectly, especially for big files.

Comment by kyriakos — September 27, 2008

Well, if Sun do things right, it might be an occasion for Java evolve and if the plugin gets lightweight enough, people might replace the Flash uploaders with Java uploaders.
I remember using service and they have a Java upload tool, it takes time to load the applet but in the end, you just drag&drop files.
JavaVM takes more time to load, its allot more powerfull

Comment by porf — September 28, 2008

@porf: Yes, but then you need to sign the applet in order to allow it access to the local filesystem.

I can’t believe Adobe are doing this. Maybe it’s time to take another look at Silverlight and dump Flash altogether.

Comment by spyke — September 28, 2008

I tried Java based uploaders. Functionally they work perfectly fine. If you are dealing with large files ideally there are Java uploaders that deal with FTP rather than HTTP which seems to be far more reliable for file uploads (after all thats what FTP is meant to be used for). The downside is as porf said the fact that you have to wait for the VM to load up and deal with the usually ugly UI of these applets.

Comment by kyriakos — September 28, 2008

I guess this shows the importance of following Open Standards and not rely on closed down, proprietary lock-in technology…
<input type=”file-multi”…?

Comment by ThomasHansen — September 28, 2008

sorry to sound like an ass, but thats what you all get for using flash in the first place. to me, the ‘open web’ should be open source.

Comment by robertlovescss — September 28, 2008

I would have to agree with Thomas and Robert. Website functionality shouldn’t rely on third party plug-ins, especially if they aren’t open source. This could be an opportunity for some real creativity, I think. Forget Java applets. Nothing makes me hit the back button faster.

Comment by mjuhl — September 28, 2008

Seriously, this is terrible news. I am all about open technologies and any of my sites which use mutlifile upload downgrade to regular html upload when the flash player is not available. That being said – nothing matches the convenience of being about to select 20 files at once and get feedback for each one as to how far it is uploaded while still being able to do other things. I use it on my blog at and it allows me to continue typing a journal while all the files are uploading. I think wordpress and flickr use it in a similar fashion.

My users are goign to freak if they have to upload fiels one at a time, either that or they will just stop uploading as much content which is sad. Same with flickr. The alternative is that i am goign to have to make a whole flash based widget or switch technologies altogether to gear or silverlight or java, blah.

It was great with flash because there was such a high install base thanks to youtube.

What they really should do is prompt the user with a security warning, or say, “Site blah wants to upload files” the same way that they do when a site asks to use your camera or microphone. That way teh hundred if not thousdands of sites that use multifile uploads would not break but instad just be more secure.

Comment by paulsidekick — September 28, 2008

Uhm…. Gears? I’m pretty sure gears s’ports multiple file uploads.

Comment by Breton — September 28, 2008

But Gears is installed in a tiny percentage of computers and breaks everytime a browser vendor updates their product, even a couple security fixes can break Gears support.
The whole “Don’t break the Web” has a new meaning now.

Comment by PedroBatista — September 28, 2008

to Thomas and Robert:

This is the result of people being forced to used closed standards since the open standards have not been catering for their needs in so many years. The HTML specification should have allowed some flexibility over the file upload input field for a long time..

Comment by kyriakos — September 29, 2008

if (flash installed && version < 10) useFlashUploaderWithHTMLUI();
else if (java installed) useJavaUploaderWithHTMLUI();
else useStandardSingleFileAtTimeUploader();

Comment by jole — September 29, 2008

Does this also mean that flash based local storage will no longer work? E.g. The flash handler for

Comment by sos — September 29, 2008

From one of TFAs: “HTML security guidelines do not allow the opening of file dialog windows without user interaction”. This was just a matter of time IMHO.
Why do you think the file input type field is that nasty to hack in html?
But I’m confident that the SWFUpload devs will find a suitable workaround soon enough.

Comment by cosmincimpoi — September 29, 2008

Couldn’t they have just made a confirm dialog?

“Site xyz wants to open a file dialog, allow this?”
“No, and don’t bother me any more for this site”

and add that to the “accepted” list, done.

Comment by Mark — September 29, 2008

The only security changes are requiring user interaction before allowing clipboard access and opening a file dialog box. There are no addditional restrictions on interacting with Javascript. And the fix in both cases is very simple. Why is this of any major concern. Did I miss something in the article?

Comment by nexus09 — September 29, 2008

Lets not forget that the browsers, outside of standards, also made similar breaking changes to things like pop-up windows. I think IE was the first which required user interaction to pop-up a new window. Mozilla did the same and I had to fix a bunch of my HTML / JavaScript applications. There wasn’t a W3C standards body that decided on this change. Browsers made the change to protect users from malicious websites. This is exactly what Flash Player 10 is doing. There are workarounds for those using Flash for file upload.

-James (Adobe)

Comment by jlward4th — September 29, 2008

The positive thing about all this for the end user, is that Flash Player is more secure than before, if this user is also one of those who auto skips Flash content, then this might make his life better since the developer behind the site might drop Flash if he knows he won’t be able to do his javascript “hack” anymore.

So finally people who don’t like flash won’t have to be in contact with Flash, while they probably will feel less “annoyed” they’ll also be missing some really cool features. Flash Player is really a cool way to deliver your content, wether it is an application or a simple animation, I don’t understand why people find “Flash” evil and use other tools/programs that are twice more annoying … The operating system used by most of my site’s visitors is another proof

As for developers, I guess this is a big problem for all those who used these techniques and as an addicted to all things Flash developper I also got a bit worried about these new “security” features, but I think people have been asking for it for so long, so all the efforts Adobe are making to make the Flash Player secure is kind of logical, and I’m sure we’ll find other ways to enable/add features to JavaScript

Comment by punkscum — September 29, 2008

A potential workaround: Make the flash movie transparent and position it over the relevant “select files” link, thus Flash will capture the click, the “origin” test should pass and things should work as previously. (Theoretically. :D)

Comment by Schill — September 30, 2008

Unless I have completely missed the point here, I don’t understand why the security changes to FP10 will prevent some of you from uploading multiple files, it can be done using a standard HTML form.

Not good enough? Then why not just create a form in Flash instead of using a JS hack? Either way the end user is going to need the Flash plugin installed, and either way you will need to fallback to HTML if (a) the Flash plugin isn’t installed or (b) JavaScript isn’t enabled.

Comment by Si — September 30, 2008

So what does this mean for a project like HotRuby?

Comment by PeterMichaux — October 2, 2008

So, famous copy-text to clipboard (with _clipboard.swf from Mark O’Sullivan) for non IE browsers doesn’t work anymore on Flash 10. Crap, i just noticed that today when checking our production-home-page…
Are there any known work-arounds yet? Or is there ANY other way to save text to clipboard on non-IE browsers with JavaScript ?

Comment by cordell — October 29, 2008


Comment by msnek — January 4, 2009

Leave a comment

You must be logged in to post a comment.