Security issues when loading SWF

[darloScott]

Hi,

 

This is linked to my last post viewtopic.php?f=6&t=4484 but I thought it was unique enough for a seperate thread. I have found a number of posts with similar issues but non the same as mine so sorry for any cross over in content.

 

The problem is simple, I'm loading a swf which contains MovieClips,each of which follow an interface called IStyleable. I load the swf into the main application and access the Class insisde the swf by using get Class:

 

var ClassReference = _loader.getClass("HeaderBar");
_mainHeader = new ClassReference();				
addChild(_mainHeader);			
_mainHeader.y = 200;

 

As the main application uses a singleton style manager, it sets up the styles and automatically styles any classes which use the IStyleable interface. So as soon as the _mainHeader is added it get's styled successfully.

 

Now for the problem:

 

This all works fine when I load the external swf into the same domain as the main application:

_loader = new SWFLoader($path, {onComplete:completeHandler});

 

However when I load the swf from it's own domain (so that I can unload it succesfully, see previous post viewtopic.php?f=6&t=4484) the compiler gives me sandbox errors and an the debug message points to the greensock.loading.SWFLoader?_rslAddedHandler. I have tried to set the loader's context to SecurityDomain.currentDomain so that the loaded swf's security domain is the same as the main application but this only created more sandbox errors. After looking on various forums I have tried many different solututions, but with no luck. I believe that when the swf is loaded form the seperate application domain the main application can access the classes inside the swf but cannot access it's methods (which I need as the movieclip needs to be styled using the StyleManager in the main application).

 

I have posted my source files from my FDT project, it uses robotlegs and other swc's but the paths are relative and should work fine. In main.as, if you comment out line 73 and uncomment 75 the application will load as expected, but as it is, the sandbox issues occur. Ideally I want the loaded swf to behave as if it is in the same domain as the main application, but i'm sure that is easier said than done.

 

UPDATE

The sandbox issue doesn't appear to occur when running in the browser on the local sever (http://localhost/PP3/Main.html) However when I publish from FDT to the local server folder I get the errors. I really don't want to be running my application in the browser to get it to work and want to debug within FDT without all these sandbox errors.

 

 

Any help with this would be greatly appreciated,

 

Scott

[GreenSock]

Yeah, I couldn't get your files to compile properly. Looks like some stuff is missing causing compiler errors and such. Feel free to repost a more complete set of files that compile properly and I'll take a peek.

 

Also, I noticed you're using pretty stale versions of the GreenSock classes. I'd strongly recommend downloading the latest versions. http://www.greensock.com/loadermax/

 

As for the security errors, beware that Flash won't allow you to set a SecurityDomain in a LoaderContext when you're running locally (totally annoying, I know). And it will ALWAYS force local and remote stuff into distinct SecurityDomains which means you cannot cross-script local and remote files/classes. This might explain why you're getting it to work fine when everything is served in a non-local manner (over http).

[darloScott]

Thanks for taking a look, sorry you couldn't get the example to work. I have uploaded an attachment which is a very simple, stripped down version, which should work fine if you just compile main.fla. If you see line 100 of Main.as you'll see the comment which will toggle between loading in seperate domains to the main application domain.

 

It sounds like you've probably already identified the issue I am having, when run locally the player is blocking cross-scripting so the classes from the external swf's cannot be accessed from the StyleManager in the main application domain. It's not ideal, but I suppose I could load the external swf's into the main application domain until I need to deploy the application and then I can switch to seperate domains and test on the server.

 

Thanks again for your help, it's been driving me crazy.

 

Scott

[GreenSock]

Yeah, unfortunately there's just no way to make Flash load local and remote stuff into the same SecurityDomain (obviously for security reasons). At least I've never found a way and it seems like something that should be impossible anyway, otherwise hackers could do some funky damage.