NPAAPI Plugin - PPAPI Plug-in

Hello I have a question why is my PAPPI plug-in's say (out-of-process)

There's nothing currently scheduled. 

Definitely feel free to file a feature request for it at bugbase.adobe.com, or from the community-driven Uplist: Feature request for Flash and Air - uplist

We watch both carefully.

Will do, thanks

Good day Jeromie,

Does PPAPI Plugin support trusted locations? I have added folders to trusted locations, but I'm still receiving Security errors.

It should, but the Flash Player packaged with Chrome is encapsulated from the other Flash installations on your computer.  The nature of the PPAPI architecture is such that there is no way for the PPAPI Flash Player to read from the central settings files that the ActiveX and NPAPI Flash plug-ins share. 

Long story short, you'll need to add settings specifically for Chrome (and/or each PPAPI-based browser on your machine), and you have to do that through the SWF-based user interface, here:

Adobe - Flash Player : Settings Manager - Global Security Settings panel

Just for some background, this is one of those things that is ugly and grew organically.  We released the native control panel back in 2010 before PPAPI was a thing, with the intention of retiring those web-based control panels.  They hung around because of Android Flash Player for a while, and then PPAPI emerged and all of a sudden, we required them again because the Native Control Panel only modifies the central settings files used by browsers with looser sandboxes.  The notion of somehow discovering, registering and syncing config changes between all of the ActiveX, NPAPI and PPAPI instances would be a path fraught with peril, and we really don't want to go down that road.  We feel that the likelihood of unexpected or undetermined states in our privacy and security UI is worse than the current fragmentation between browsers. 

The design decision in Chromium (which we totally agree with) prevents Flash Player from known what directory it's running in on the filesystem, and prevents it from reading or writing outside of it's little jailed filesystem.  This is a good thing for users, but it leads to an unfortunate fragmentation in how the settings are handled.  If you're using other Chromium-based browsers, then each Chromium browser maintains its own set of settings, which would need to be made through that SWF-based UI.

We're still thinking about ways to clean this up, and we'll be adding some clarification to the Native Control Panel UI shortly, but it's this interesting quagmire that we've found ourselves in as the browser space has evolved in good-but-unexpected directions over the last couple years.

Jeromie, thank you for so detailed response.

I have tried Web based settings - Adobe - Flash Player : Settings Manager - Global Security Settings panel

I can't add folder, It just doesn't work for me.

After navigating to desired folder and clicking on 'Open' button, It does not give any results..

Does it work for you?

Famous last words: It works for me. 

What operating system are you using?  Win7 x64 looked good to me.  I got a pretty funky response when looking with mac.

Also, check the URL at the top of that page.  Is it adobe.com or macromedia.com?  Only changes made from macromedia.com will be applied.  We had a problem where some users were being redirected to adobe.com as a part of an unrelated infrastructure change, but I think that's resolved now, at least in the US.

It's www.macromedia.com

OS: Windows 8.1

I also have recorded video (screen), but It has some sensitive information, I could send it to any email

Issue: by navigating to any folder, window provide only open option, as user I can't set path to folder.

Is it also the case that the PPAPI player does not share debug config file (mm.cfg) ? When using PPAPI I am not able to get my trace statements out to flashlog.txt

That is correct.  PPAPI Flash Player doesn't have the ability to see the normal filesystem.  It has it's own sandboxed filesystem to play in, but it has no way out of that sandbox to read the centralized config files.

To make it even more confusing, if you had both PPAPI Chrome and PPAPI Opera installed, *those* Flash instances would have distinct filesystems as well.

Off the top of my head, I'm not sure where you should put the various config files when you're using a PPAPI Flash Player.  I'll have to figure it out and get back to you.

Hello Jeromie,

What about web based settings — http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager04.html

Do we have any progress in this question?

Here are the locations of the config files for the PPAPI debugger.  You may need to create the System directory listed in this path manually.

Win7: %USERNAME%/AppData/Local/Google/Chrome/User Data/Default/Pepper Data/Shockwave Flash/System

WinXP: %USERNAME%/Local Settings/Application Data/Google/Chrome SxS/User Data/Default/Pepper Data/Shockwave Flash/System

Mac: /Users//Library/Application Support/Google/Chrome/Default/Pepper Data/Shockwave Flash/System

Linux: /Users//Library/Application Support/Google/Chrome/Default/Pepper Data/Shockwave Flash/System

ChromeOS: /home/chronos/user/Pepper Data/Shockwave Flash/System

Web-based settings are the only way to configure things in the PPAPI world.  Since we can't read the centrally stored files used by the ActiveX and NPAPI Flash Players during runtime, the changes made in other browsers via the web-based settings manager, or via the Native Control Panel have no effect on the behavior of the PPAPI browser.  Settings made via the settings manager will also not propagate between parallel PPAPI instances, should we extend support to other PPAPI/Chromium-based browsers in the future.

The trusted locations and local filesystem access is in a pretty weird state at this point.  Sandboxing techniques used by the major browser vendors vary widely, and this results in a severe fragmentation of capability on our end.  The Safari sandbox prevents Flash from reading from the local filesystem.  Flash Player in PPAPI operates in a jailed filesystem, so loading local assets becomes problematic. 

The local filesystem stuff came from a time before it was reasonable and easy to run a local webserver, but it's 2014 and we have one-click installs of LAMP/MAMP/XAMP, etc.  MacOS comes with a built-in webserver already, and Adobe AIR really serves the "Flash running as a native app" niche in a far superior way than Flash Player in the browser can, with far less risk.

My personal opinion is that all of the local sandbox stuff is a throwback to another time, and something that we should deprecate and disable by default.  Given the direction that most browsers are heading (at least the ones that aren't in rapid decline), I think that it's just a matter of time before the plugin architectures in major browsers make this functionality impossible anyway.

If you're depending on the local filesystem as part of your design, you're signing yourself up for a world of headaches.  If you're just trying to work through it for developing, a local webserver is easier and more powerful (particularly if you need to think about cross-domain policies, session headers, CORS, etc).  Since local filesystem support is already fragmented and really only supported well in *old* browser versions, I'm really of the opinion that it's time to phase it out.

Thank you for the insightful post.

To complete the list above, the PPAPI config file for Opera should be placed (on Mac) at

/Users/<user>/Library/Application Support/com.operasoftware.OperaDeveloper/Pepper Data/Shockwave Flash/System

Thank you Jeromie, for detailed response.

It's a sad story. I remember time, when developer could add "working directory" to trusted locations and work with the product in very fast paced maner. (I didn't like it from the beginning to configure player through web settings, but it worked…)

Now we should create for example some build scripts/automatization, so even small changes after compilation will be placed under local web server.

I remember how it was cool to create some functional while slow admins are placing correct crossdomain.xml, etc.

Ok, let's return to configurations…

If I'm using PPAPI Plugin for Chrome, can I place configuration with trusted location for example under such path:

%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\FlashPlayerTrust\dev.cfg

dev.cfg conntent for example:

C:\Development\FlashProjects

Is it right way for current plugin implementation?

Honestly, I never use this feature.  It sounds reasonable.

According to the docs:

The Global Flash Player Trust directory

Administrative users and installer applications can register specified local SWF files as trusted for all users. These SWF files are assigned to the local-trusted sandbox. They can interact with any other SWF files, and they can load data from anywhere, remote or local. Files are designated as trusted in the Global Flash Player Trust directory, in the following location:

• Windows: system\Macromed\Flash\FlashPlayerTrust(for example, C:\WINDOWS\system32\Macromed\Flash\FlashPlayerTrust)
• Mac: app support/Macromedia/FlashPlayerTrust(for example, /Library/Application Support/Macromedia/FlashPlayerTrust)

The Flash Player Trust directory can contain any number of text files, each of which lists trusted paths, with one path per line. Each path can be an individual SWF file, HTML file, or directory. Comment lines begin with the

# symbol. For example, a Flash Player trust configuration file containing the following text grants trusted status to all files in the specified directory and all subdirectories:

# Trust files in the following directories: C:\Documents and Settings\All Users\Documents\SampleApp

The paths listed in a trust configuration file should always be local paths or SMB network paths. Any HTTP path in a trust configuration file is ignored; only local files can be trusted.

To avoid conflicts, give each trust configuration file a filename corresponding to the installing application, and use a .cfg file extension.

As a developer distributing a locally run SWF file through an installer application, you can have the installer application add a configuration file to the Global Flash Player Trust directory, granting full privileges to the file that you are distributing. The installer application must be run by a user with administrative rights. Unlike the mms.cfg file, the Global Flash Player Trust directory is included for the purpose of installer applications granting trust permissions. Both administrative users and installer applications can designate trusted local applications using the Global Flash Player Trust directory.

For the trust file, the following works for me on MacOs, with Chrome and PPAPI plugin:

  /Users/<user>/Library/Application Support/Google/Chrome/Default/Pepper Data/Shockwave Flash/WritableRoot/#Security/FlashPlayerTrust/trust.cfg

You may have to create the #Security directory if it does not exist.

The path is probably similar for Windows and other implementations.

Nope. This is not working for me.

Sorry. It's working fine. I was doing something wrong.

I'm not totally surprised.  We may not be able to broker all of the requests to the local filesystem necessary to make those features work.  The NPAPI and ActiveX debuggers are definitely more robust and well tested at this point.  If you're just trying to get work done, that's probably a less frustrating path.

Please file bugs on anything that's not working over at http://bugbase.adobe.com/.  We haven't had a ton of feedback on the PPAPI debugger at this point, so it's definitely appreciated.

If you post the bug numbers here, I'll get them assigned.

Hey Jerome,

The problem is, I don't know weather these are bugs or not as long as I'm unaware of how PPAPI player is handling relative paths. I'll try to sum here old VS new behavior with examples:

1. NPAPI
Path to mm.cfg (c:\Users\<username>\mm.cfg), mm.cfg contains a number of directives, path related ones are:

PreloadSwf=c:\some\path\flashfirebug.swf

TraceOutputFileName=c:\some\path\Logs\flashlog.txt

2. PPAPI

Path to mm.cfg which is undocumented as far as I'm aware (c:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\System\mm.cfg)

PreloadSwf=flashfirebug.swf (absolute path is not working... if we use a relative path, to which folder will it be relative to? Where do we put flashfirebug.swf?)

TraceOutputFileName=abc\flashlog.txt (same thing, where would this be located?)

Regarding trust folder and paths, I think I had some bug, I'll retry JeanBonnot suggested folder and report back.

Hello Jeromie,

So I managed to get my mm.cfg read from this path

C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\System\mm.cfg

I dropped my tracePath directive as it seems to be ignored. Our PreloadSwf looks like this (I figured this should be the root of the sandbox folder)

PreloadSwf=\flashfirebug.swf

Security is indeed read from this path as JeanBonnot indicated

C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#Security\FlashPlayerTrust\*.cfg

My flashfirebug.swf file is here

C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\flashfirebug.swf

My preloadSwf uses the allComplete handler, which is not firing at all on Debug Flash Player PPAPI, I've filed a bug report here

Bug#3918993 - allcomplete handler is not being invoked in debugger version of PPAPI plugin