Flex/AIR security is not designed to control what happens if an evil app gets access to a computer's harddrive. Once it can do that, it can substitute an evil flash player, erase your hard drive, spread worms. So, if you don't think your users have that level of control, then yes, verify the SWFs before loading, but keep in mind, the evil app could just modify your SWF that is doing the checking too.
________________________________ From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Mathews Sent: Thursday, August 07, 2008 7:37 AM To: [email protected] Subject: Re: [flexcoders] Where are the AIR resources? It turned out to be an issue on my part. I figured it out and got it working. As to security, now that my Flex swf is in the app directory, can't someone just drop a new one in there and my AIR app think it is secure? Do I need to verify swfs and html loaded from the app directory? On Wed, Aug 6, 2008 at 6:12 PM, Alex Harui <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: Where's the HTML page loaded from? Domain security rules apply to that too. ________________________________ From: [email protected] <mailto:[email protected]> [mailto:[email protected] <mailto:[email protected]> ] On Behalf Of Steve Mathews Sent: Wednesday, August 06, 2008 4:20 PM To: [email protected] <mailto:[email protected]> Subject: Re: [flexcoders] Where are the AIR resources? Ok, so after all this discussion (thank you by the way) I came to the realization that what I needed to do is be running my Flex swf as trusted. So I moved it and all my in-house created support swf to the app directory so they are installed with the app. So far so good, as I already had support for loading my resources from a different path by setting a var in the embed code. Now I have a new issue in that when you hit Esc in my Flex swf I call both a ExternalInterface call and an fscommand to let the container know about it. I had it working where my hosting html page was getting these calls, but now it doesn't seem to be. I would have expected it the other way around where as non-trusted the calls would get lost and as trusted they would work. Any ideas? On Tue, Aug 5, 2008 at 3:13 PM, Alex Harui <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: I'm sure there is a way to do that right now. It might be a planned feature for a future AIR release. You can try it though. This post: http://weblogs.macromedia.com/emalasky/archives/2008/04/remote_plugins.h tml#more <http://weblogs.macromedia.com/emalasky/archives/2008/04/remote_plugins. html#more> implies that you can't and should use loadBytes instead. -Alex ________________________________ From: [email protected] <mailto:[email protected]> [mailto:[email protected] <mailto:[email protected]> ] On Behalf Of Steve Mathews Sent: Tuesday, August 05, 2008 2:58 PM To: [email protected] <mailto:[email protected]> Subject: Re: [flexcoders] Where are the AIR resources? Alex, Yes, it isn't an error, just the security dialog because my swf has -use-network=true but it is running locally. In theory I can compile a 'local' version, but there are some webservices that I would like to consume even on the desktop. Also, I don't think telling the user to trust the app-storage folder is a good solution. You mention getting it into the same directory as the main swf. Can you expand on that comment? Thanks On Tue, Aug 5, 2008 at 11:09 AM, Alex Harui <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: You didn't say what error you are getting, but I'll bet it is that a localWithNetworking swf can't access local assets. Good thing we have that security check otherwise if you downloaded a spyware SWF, someone would be stealing your identity. So, no matter what, if you suck down SWF bits and launch them locally, please find a way to validate them against a man-in-the-middle attack. We have a SHA library you can use. Once you truly trust the SWF bits, the next question is why your SWF needs network access. If it doesn't, turn it off and you won't get warnings. If it does need network access, I think your choices are to find a way load it into a trusted directory (users can opt to trust certain directories, or you somehow get it into the same directory as the main SWF), or proxy the network I/O or file system I/O through the main app. I don't think HTMLLoader or an intermediary HTML file is going to help. -Alex ________________________________ From: [email protected] <mailto:[email protected]> [mailto:[email protected] <mailto:[email protected]> ] On Behalf Of Steve Mathews Sent: Tuesday, August 05, 2008 10:48 AM To: [email protected] <mailto:[email protected]> Subject: Re: [flexcoders] Where are the AIR resources? Let me give some specific examples so hopefully we can get this to work. What I am creating is a "player" for a custom file type. The file is basically a zip (with different extension) that when opened is extracted to the app-storage location. This is just resources. Next I have a Flex based swf that can actually run with these resources. What I was thinking is that I could just copy this swf (and some others that it loads) into the app-storage directory and load it. So what I have started with is a Flex based AIR application that registers as the default for the file extension, loads the file and extracts it to the app-storage. After I copy (mannulay for now) the external Flex swf and an html page to the app-storage, I load the html into AIR using the HTMLLoader. Eventually I would like to be able to update the external swf and some of the other supporting swfs, so please keep that in mind when making recommendations. Thanks for the help, Steve On Mon, Aug 4, 2008 at 5:11 PM, Alex Harui <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: Just so I'm clear. You have a AIR SWF based on Flex that is using HTMLLoader to load another Flex SWF off the web? Are the two SWFs supposed to be able to communicate? What error are you getting? FWIW, the Marshall Plan will allow an AIR/Flex SWF to load another Flex SWF off the web directly, but the loaded SWF will be untrusted and can't access AIR things like NativeWindow and the file system. ________________________________ From: [email protected] <mailto:[email protected]> [mailto:[email protected] <mailto:[email protected]> ] On Behalf Of Jim Hayes Sent: Monday, August 04, 2008 4:58 PM To: [email protected] <mailto:[email protected]> Subject: RE: [flexcoders] Where are the AIR resources? > My understanding is that because I can't load Flex into Flex I missed that bit (and was unaware of that in any case, never tried it so far), so I don't think I can offer any useful advice I'm afraid. Sorry about that, hopefully someone else can comment/advise. -----Original Message----- From: [email protected] <mailto:[email protected]> [mailto:[email protected] <mailto:[email protected]> ] On Behalf Of Steve Mathews Sent: 05 August 2008 00:49 To: [email protected] <mailto:[email protected]> Subject: Re: [flexcoders] Where are the AIR resources? My AIR app is Flex based. I am using the HTMLLoader to load a (currently) standard html page with the Flex swf embedded. This HTMLLoader is in a new Native Window (in case that makes any difference). My understanding is that because I can't load Flex into Flex this method runs the loaded html in a separate security/application domain. Would I benefit by creating a new Native Window with a html source (can I even do that?), then loading the Flex into that window? Thanks, Steve On Mon, Aug 4, 2008 at 3:46 PM, Jim Hayes <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: Are you loading it into an html based AIR app using the built in flash plugin? Or loading it via swfLoader into an AS/mxml based application? -----Original Message----- From: [email protected] <mailto:[email protected]> [mailto:[email protected] <mailto:[email protected]> ] On Behalf Of Steve Mathews Sent: 04 August 2008 23:34 To: [email protected] <mailto:[email protected]> Subject: Re: [flexcoders] Where are the AIR resources? Specifically I have a Flex based swf that I am loading into my AIR app. It is dynamically driven (i.e. external content) and is intended to be running on the web. So of course in it's compiler options I have -use-network=true. So when run from the desktop you get the security dialog asking if you would like to allow it. My question is, would it be possible to get around this? I trust the swf as I created and maintain it, but I would rather not have two versions of it (one for web, one for local). Thanks, Steve 2008/8/4 Dimitrios Gianninas <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > I've been building AIR apps recently, I always look at the online docs at http://livedocs.adobe.com/flex/3/html/index.html <http://livedocs.adobe.com/flex/3/html/index.html> I usually ask my questions on this list...just a habbit. What questions do you have? Dimitrios Gianninas RIA Developer and Team Lead Optimal Payments Inc. ________________________________ From: [email protected] <mailto:[email protected]> [mailto:[email protected] <mailto:[email protected]> ] On Behalf Of Steve Mathews Sent: Monday, August 04, 2008 2:06 PM To: [email protected] <mailto:[email protected]> Subject: [flexcoders] Where are the AIR resources? I am trying to learn more about building AIR apps, but it seems that when I run into a roadblock I have a lot of trouble finding information. I am subscribed to apollocoders, but that list is next to dead (although I did get a couple answers from there). Is this just a sign that hardly anyone is using the technology, or am I just missing where are the talk is? I am looking for any sites or lists where there is better info than just what is in the help docs. ... [Message clipped] ______________________________________________________________________ This communication is from Primal Pictures Ltd., a company registered in England and Wales with registration No. 02622298 and registered office: 4th Floor, Tennyson House, 159-165 Great Portland Street, London, W1W 5PA, UK. VAT registration No. 648874577. This e-mail is confidential and may be privileged. It may be read, copied and used only by the intended recipient. If you have received it in error, please contact the sender immediately by return e-mail or by telephoning +44(0)20 7637 1010. Please then delete the e-mail and do not disclose its contents to any person. This email has been scanned for Primal Pictures by the MessageLabs Email Security System. ______________________________________________________________________
