
Firefox Nightly now plays Amazon.com Flash videos using Shumway - msujaws
https://mail.mozilla.org/pipermail/firefox-dev/2015-February/002683.html
======
cpeterso
I'm a program manager on Mozilla's Shumway team. If you have any questions,
please ask! :) The name "Shumway" is derived from "Gordon Shumway", the actual
name of the TV character ALF: Flash -> Flash Gordon -> Gordon Shumway ->
Shumway. :)

Shumway is written in TypeScript. It has an ActionScript interpreter and a JIT
that generates JavaScript, compiled using eval(). The code is on GitHub:

[https://github.com/mozilla/shumway/](https://github.com/mozilla/shumway/)

~~~
zobzu
Do you fear that by the time shumway actually works for "most ppl stuff" flash
would already be gone and the effort wasted? (its gone from YT..)

~~~
cpeterso
Yes and no. Shumway is in a race to stay relevant as Flash fades from the web,
but there will always be a long-tail of Flash content that would/will be lost
when Adobe or browsers stop supporting the Flash plugin.

Even YouTube must continue to support Flash video for at least another year
because many websites embedded Flash videos using YouTube's boilerplate
embedding HTML with the Flash <object> tag. Google can't magically rewrite
these third-party websites' HTML. :) Maybe YouTube can use some SWF that loads
or redirects people to youtube.com? Or browsers could recognize YouTube's
boilerplate embedding HTML and rewrite it with YouTube's HTML5 video.

~~~
hammerandtongs
This is a serious point though.

Flash, while pretty atrocious, is part of the cultural legacy of the web.

Someday shumway may be the only way reasonable way to access this via
archive.org etc.

~~~
tschneidereit
This is indeed a major consideration: Flash will undoubtedly go away as a
player, and if we don't want to lose all the legacy content with it as if it
were stored on floppy disks, Shumway or something like it is the only
solution.

Note that for a lot of content, it's not even required to use Shumway in the
form of a browser extension or built-in system: it's perfectly possible to run
SWFs with Shumway as a website-deployed player. E.g., the header on
[http://areweflashyet.com](http://areweflashyet.com) is deployed that way and
works just fine in all modern browsers.

~~~
niutech
Well, it does not work in Chrome on iOS 7.

~~~
tschneidereit
Thanks, bug filed:
[https://bugzilla.mozilla.org/show_bug.cgi?id=1133323](https://bugzilla.mozilla.org/show_bug.cgi?id=1133323)

------
maherbeg
I'm one of the developers on the video player used on that page. Great work
guys!

Edit: I should add in, the player is primarily Javascript with a small
rendering engine for Flash fallback. Even in the Flash case, everything is
controlled via JS through a flash bridge. We prioritize HTML5 video when
possible across browsers and devices.

~~~
cpeterso
maherbeg: thanks!

Our team was uncertain how to reach at Amazon to get your blessing. :) If you
(or Amazon management :) have any problems or concerns, _please_ feel free to
email me at cpeterson at mozilla dot com!

re HTML5 video: do you use it on desktop browsers? Mozilla is working hard to
improve our HTML5 video implementation. Can we opt in Firefox for HTML5 video?
Playing Flash videos in Shumway is just a stepping stone on the path to HTML5
video.

~~~
maherbeg
We do allow HTML5 video on Firefox for Windows. On Mac, we disallow it.

We feature detect everything but have been prioritizing Flash at the moment
due to issues with Chrome and HTML5 video.

~~~
cpeterso
> * We do allow HTML5 video on Firefox for Windows. On Mac, we disallow it.*

Interesting. Is HTML5 video the default on Firefox for Windows or only used
when Flash is not installed? (I only have a Mac.)

Have you found specific Firefox problems with HTML5 video on Mac? Feel free to
email me if you have questions for Firefox's video team about debugging or
optimization. They are friendly folks. :)

------
JoshTriplett
Sounds like Shumway is already further along than Gnash or Lightspark.

What versions of SWF does Shumway aim to support? 7, 8, 9, 10, all of the
above?

How does Shumway interact with click-to-play and similar mechanisms to stop
unwanted Flash objects from playing? Does it have that functionality built-in?

~~~
cpeterso
Shumway is implementing APIs as needed, not targeting a specific SWF version.

Shumway does not currently support click-to-play because it is not a real
browser plugin. It hooks into Firefox's click-to-play mechanism to
conditionally override the Flash plugin. This is a hack and will soon be
replaced with "jsplugins", a Firefox feature that will allow browser plugins
to be written in JS and run in an out-of-process sandbox:

[https://bugzil.la/jsplugins](https://bugzil.la/jsplugins)

~~~
sp332
Will this be more secure than Adobe's Flash, since that already runs in a
separate process?

~~~
brohee
Since it won't be native code, they'll only be able to abuse a FF bug exposed
by the JS plugin API, but should be in a very bad position to exploit a kernel
bug...

Same process isolation, but the JS plugin got a vastly reduced surface to
attack.

~~~
tschneidereit
Exactly. We did a survey of Flash exploits from the last few years and almost
all of them would simply have been impossible in Shumway. That doesn't mean
that Shumway will automatically free of all security bugs, but the whole class
of bugs that in some way is caused by memory corruption is only possible
through bugs in Firefox's JS engine SpiderMonkey. Of course it's much easier
to just exploit them in JS directly then, so Shumway doesn't increase the
surface attackable through bugs like that.

------
endgame
Cool tech, but I'm a bit sad that I can't watch Shumway[1] using Shumway.

[1]:
[http://www.albinoblacksheep.com/flash/shumway](http://www.albinoblacksheep.com/flash/shumway)

~~~
yellowapple
You actually can; I'm doing so right now. However, you need to install the
full Shumway extension from
[http://www.areweflashyet.com/shumway/](http://www.areweflashyet.com/shumway/)
(the stripped-down version shipping in Nightly is limited to Amazon only).

If you use Shumway, though, don't forget to disable Adobe's Flash (I've found
that having it enabled _and_ Shumway installed results in rather brutal
crashes).

~~~
tschneidereit
Can you give steps to reproduce this crash? It should definitely _not_ happen.
In fact, until
[https://bugzilla.mozilla.org/show_bug.cgi?id=558184](https://bugzilla.mozilla.org/show_bug.cgi?id=558184)
is implemented we rely on an installed Flash plugin to make the Flash
detection used by most sites work.

~~~
yellowapple
Steps:

0) Have a Macbook Air running OS X Yosemite

1) Install Firefox

2) Install Adobe Flash

3) Install Nightly

4) Install Shumway

5) Attempt to open
[http://www.albinoblacksheep.com/flash/shumway](http://www.albinoblacksheep.com/flash/shumway)

6) Watch Firefox complain that the tab crashed

7) Try to reload the tab

8) GOTO 6

Disabling Flash (via the Addons screen in Firefox/Nightly) seems to fix the
issue.

------
snissn
How do you go from swf files to "action script"? Do you use flasm/flare for
as2? How do you turn as3 abc files into action script? Did you write your own
decompiler or use some other open source ones? There's a disassembler written
in D for as3 that I used to use called rabcdasm, did your team ever take a
look at that?

~~~
CyberShadow
> There's a disassembler written in D for as3 that I used to use called
> rabcdasm, did your team ever take a look at that?

RABCDAsm author here. Curious about the same, I've always thought the project
might be useful to VM implementers. Also wondering if you've had trouble with
obfuscators that employ control flow obfuscation, and create unreachable basic
blocks with junk code.

~~~
cpeterso
Yes, definitely! SWF obfuscators are a problem because they rely on
undocumented behavior and implementation details of the Flash plugin that the
Shumway developers must debug and support to maintain compatibility.
Obfuscated AS1 code can do strange things like jumping to unaligned SWF
addresses in the middle of bytecodes.

~~~
CyberShadow
> Obfuscated AS1 code can do strange things like jumping to unaligned SWF
> addresses in the middle of bytecodes.

Oh, I've seen much worse. The AS1 VM actually treats the entire SWF file
(after decompression) as an AS program. That means it's possible to jump
outside of the bytecode tag and into e.g. the metadata of a JPEG file.

~~~
userbinator
Reminds me of one highly-regarded (at the time) obfuscator whose operation
consisted entirely of renaming the existing bytecode tags to a reserved value,
and adding a bytecode tag after it with lots of useless code including opaque
predicates which eventually jumped out of the tag, backwards, into the
original code. A bit of a letdown as I was looking for a challenge at the
time, but that jump out of the tag was sure easy to detect and unobfuscate...

(This is something that is still _not_ fixed in Gnash, so Shumway is certainly
farther along.)

~~~
mbebenita
We can detect when bytecode is not well formed and fall back on
interpretation, which can handle these nasty cases. This is more of a problem
for AVM1 than AVM2.

------
Torgo
Does anyone have experience trying this with Firefox on PowerPC or ARMHF
Linux? These platforms don't have any working Flash versions from Adobe...

~~~
yellowapple
I'm wondering the same. I have a PowerBook G4 running OpenBSD 5.6 that I
suppose I could test with, though Firefox has traditionally been pretty slow
on that particular machine.

------
maherbeg
I just tested against Firefox Nightly on the amazon pages and it doesn't
appear to be even loading the Flash renderer.

We feature detect flash via the navigator.plugins object and from that thread
it doesn't look like shumway is listed there.

(I'm a dev on that player)

~~~
tschneidereit
(Shumway tech lead here)

Somewhat absurdly, you currently need Flash to use Flash without Flash in many
cases. We don't yet have support for installing Shumway in navigator.plugins,
so sites that detect Flash using that (i.e., most of them) currently only work
in Shumway if Flash is installed, too.

This will be fixed once
[https://bugzilla.mozilla.org/show_bug.cgi?id=558184](https://bugzilla.mozilla.org/show_bug.cgi?id=558184)
lands.

------
mburns
> "Note that Shumway will _not_ play Amazon's "Instant Video" films and TV
> shows. Those videos use Microsoft's Silverlight plugin for DRM."

~~~
yohui
Amazon Instant Video can also use Flash. See "Player Preferences":
[https://smile.amazon.com/gp/video/settings](https://smile.amazon.com/gp/video/settings)

~~~
cpeterso
Thanks! I didn't know that. I just tested an Amazon Instant Video in Shumway,
but the video fails to load because Amazon's video player uses some Flex
libraries that Shumway doesn't support yet.

------
tux
Tried it on Arch Linux + Firefox v35 works smoother than flash plugin. Used
AUR package here: [https://aur.archlinux.org/packages/firefox-extension-
shumway...](https://aur.archlinux.org/packages/firefox-extension-shumway/)
Can't wait for this to replace everything flash. Thank You, shumway team :-)

------
bobajeff
I'm waiting until they get JWPlayer working. So many sites still use it.

~~~
cpeterso
JWPlayer support is difficult because there are many JWPlayer variants and old
versions out there. It's easier to test and whitelist individual websites to
start.

~~~
duskwuff
Why bother emulating it, though? If you can recognize it, and recognize that
it's not using any unusual settings, you could potentially just replace the
whole thing with a native video player.

~~~
cpeterso
That's a good question. Video is just one use case for Shumway. This specific
use case might be better supported by rewriting Flash <object> tags with an
HTML5 video player, but Mozilla dislikes adding hacks to workaround site-
specific quirks. The hacks are technical debt carried by Firefox on behalf of
websites that don't bother to maintain themselves. Mozilla even removes _moz-_
prefixed DOM APIs and CSS attributes when the standardized, unprefixed name is
supported.

~~~
Kliment
Sounds like a perfect use case for an addon then!

------
lewisl9029
Only somewhat related, but is there still no way to access the clipboard in a
web app without flash?

~~~
skrowl
Imagine a web where you could just write to the users clipboard without a
plugin + requiring a click.

It would NEVER be safe to Ctrl+V again!

~~~
lewisl9029
The requiring a click part is the only relevant implementation detail for this
functionality, in my opinion. Whether or not it requires a plugin shouldn't
matter.

In fact, requiring a plugin for this functionality only serves to increase the
attack surface for the browser as a platform.

------
rat87
This is so cool, so more need to install hal?

------
sunlight
Verified@Twitter.com Bass word

------
rcthompson
> Shumway needs H.264 video decoders that may not be available on Windows XP
> or Linux.

Today I learned that Firefox still supports Windows XP.

~~~
cpeterso
About 25% of Firefox Windows users run Windows XP.

~~~
rplnt
Is that a real number? I've seen a huge decrease in Windows XP users over the
last year, from almost 20% to bellow 10%. But that was for different product,
so I'm wondering if FF got it this bad.

~~~
cpeterso
Yes, though I don't have a public source for it. I don't know why Firefox's OS
version statistics are not public. Wikipedia says 49% of computers in China
run Windows XP:
[https://en.wikipedia.org/wiki/Windows_XP#Support_lifecycle](https://en.wikipedia.org/wiki/Windows_XP#Support_lifecycle)

Microsoft added its "Genuine Windows" copy protection in XP SP3, so XP SP2 is
especially common. (Firefox supports both XP SP3 and SP2.)

~~~
yuhong
This is a myth actually, and I hope they can kill XP SP2 support in 2015. At
least getting rid of the SHA1 cert at the download site at the end of 2015

