Wednesday, June 21st, 2006

True Javascript Sockets?

Category: JavaScript

On the ThinkPHP blog, there’s a new post with an interesting concept – true sockets in Javascript – including code!

I could not find a single way to have real sockets in Javascript. Google told me that there probably is no solution except embeding a java applet or an active-x component! So I thought why not using a little .swf file as a bridge from javascript to the socket functions of flash!

This works pretty neat, fast and stable! The client connects to a patched (”\0\n”) Unreal IRCD. Except connecting and joining a channel there is no much functionality, but it works pretty good!

There’s a demo of the functionality posted as well, but (according to the comments) there are still a few issues to work out before this can be widey used.

Posted by Chris Cornutt at 1:48 pm

3.6 rating from 72 votes


Comments feed TrackBack URI

how is this true javascript? you are mixing it with flash??? this sounds kinda scary too…

Comment by jeff — June 21, 2006

There’s a couple of other libraries that do similar:


Comment by Chris Double — June 21, 2006

they should use the flash feature to expose certain function to the js engine so it can be even easy to cross script.

Comment by Mario — June 21, 2006 has been using this method for its NFL,NBA,MLB,College Football and College Basketball scoreboards for a couple years.

Comment by Cesp — June 21, 2006

Yes! Now cross-site scripting attacks will be able to ping my webserver from Taiwan …
No really, don’t say this is a Javascript solution, as Flash is still the driver. You might as well use your ActiveX control or Java at that point. I can see legitimate uses for it, for sure, but people who use it better understand it and lock it down from within the SWF wrapper, or there goes the neighbourhood.

Comment by Dan — June 21, 2006

And the fact that it’s a SWF means that it can easily be decompiled, meaning that all of your functionality, public or not, is wide open to an attacker.

Comment by Reader — June 22, 2006

Hm, that is true, flash CAN be easily decompiled. We’ll just stick with javascript then.

Comment by Chris — June 22, 2006

Has anyone done benchmarks on the performance hit of something like this versus normal polling? Obviously only authenticating a user once and just sending and receiving data would be a lovely alternative to rechecking them everytime they do an ajax call, but how well would this work on a system with hundreds of simultaneous users?

Comment by Mr. Curious — June 22, 2006

DHH mentionned this possibility too during the last Canada on Rails

Comment by Strass — June 22, 2006

@Reader: The fact that the SWF can be decompiled isn’t a huge deal. Since they can’t replace your SWF with theirs, the details of what you are doing shouldn’t matter. I was referring to the SWF allowing only certain types of traffic, to certain hosts, at a restricted frequency. By restricting these, you have a chance of keeping this hacked-togehter approach from blowing up in your face.

Comment by Dan — June 22, 2006

Hi, I just found this article linking to that socket thing i did recently and thought I have to comment some things.
– I used Flash instead of heavy activex or java solution because for me this simply works better and is faster.
– I do not think there is any security issue by decompiling swf socket client sources. You can theoretically sniff any client connection. Does not matter if it is irssi, mirc, xchat. A secure server is important. If you want to implement secure connections or user authentification you might think about a more secure way.
– Developing a multiuser application is difficult. And you cannot compare it with polling (like ajax) or even do benchmarks because that is something completely different.
I do not take SocketJS too serious. I was just playing with it. However I do believe that one could add some nice behaviour to his JS application.
Regards – Manfred

Comment by manfred — June 22, 2006

No working:

Error: window.document.socket.SetVariable is not a function
Source File:
Line: 93

How to make fixing?

Comment by Danny — June 24, 2006

Danny, do you use flash player version 8? It seems that SetVariable does not work with this version.

Comment by manfred — June 25, 2006

I can use this to connect to a server on localhost, but when I bind that same server to my network IP in order to make it available over the web, SocketJS can no longer connect.

It’s not the router because I’ve DMZ’ed everything to my computer and I can connect to other servers on my computer from the web.

SocketJS won’t even to connect to google:80.

Comment by Chris — July 16, 2006

It doesn’t really matter if the SWF can be decompiled and reverse-engineered. The worse that can happen is a DOS attack, which is trackable. Besides, anyone could write a plain old JavaScript that will do superfluous polling. It’s up to the CGI app to recognize and deal with flood attacks.

Since AJAX uses Pull methods, I welcome this SWF socket solution — which allows Push applications. This reduces bandwidth costs (for client and server), redundant polling, DOS hacking, and database queries.

Comment by Victor — October 7, 2006

Seems that Flash 9 has limits, since i can’t use this script either…

anyone who know how to get Flash 8 (not 9)

Comment by Marton — November 13, 2006

The problem I’ve always run into in trying to use Flash is the security concerns. You can write a server to handle queries, but that seems overly complicated.

So I decided to use a tiny, invisible Java applet instead:

Comment by sgware — April 26, 2009

Err, sorry… in my above comment, I meant to say <policy-file-request/>(policy-file-request) requests, but the HTML got messed up.

Comment by sgware — April 26, 2009

Leave a comment

You must be logged in to post a comment.