On 11/6/14, 12:51 AM, "Justin Mclean" <jus...@classsoftware.com> wrote:
>Hi, > >> If trustContent=false, the SWFLoader doesn’t know it loaded another Flex >> SWF. There is code in SWFLoader that tries to size loaded Flex SWFs >> differently than other SWFs. > >From what I can see (but not 100% sure) it's loadForCompatibility not >trustContent. Setting loadForCompatibility to true breaks the sizing of >all examples not just the 3rd party ones. trustContent is for import-loading. loadForCompatibility is for Marshall Plan loading. Unless both the loading and loaded SWFs have the MarshallingSupport linked in, setting loadForCompatibility will cause problems because SWFLoader will try to use the marshaling protocol to communicate between SWFs and the implementation code is not linked in. > >> We have to decide how secure we want to be. If we accidentally leave a >> hole where someone can inject a URL to load, it might get exploited. If >> we put a whitelist in an XML file on our server, that might be secure >> enough. > >AFAIK Having trustContent = false is the most secure, which is what we >currently do. Yes, which is why it is the default. That’s why, when discussing import-loading, I also mentioned a whitelist. You would only set trustContent=true when the URL was in the whitelist. Now, having slept on this, my new recommendation is that we forget import-loading and require 3rd party examples to use Marshall Plan and we add Marshalling Support to TDF and use loadForCompatibility only for loading 3rd party content. We could have it on all the time and add marshaling support to all 300 examples, but it adds some weight. The main reason to use Marshall Plan, besides its ability to talk to sandboxed 3rd party content is this: Any SWF that is import-loaded MUST be on the same version of the Flex SDK otherwise there is a risk of verify errors if the APIs in any SDK class the 3rd Party content depends on is changed. As we get more and more 3rd party content and make new releases of Apache Flex, it will become too painful to try to get all 3rd parties synced up to the latest Flex SDK before we cut a new TDF release. 3rd party contributors: how does this sound to you? -Alex
