Security sandboxes



Client computers can obtain individual SWF files from a number of sources, such as from external web sites or from a local file system. Flash Player individually assigns SWF files and other resources, such as shared objects, bitmaps, sounds, videos, and data files, to security sandboxes based on their origin when they are loaded into Flash Player. The following sections describe the rules, enforced by Flash Player, that govern what a SWF file within a given sandbox can access.

For more information on Flash Player security, see the Flash Player Developer Center topic “Security” at www.adobe.com/go/devnet_security_en.

Remote sandboxes

Flash Player classifies assets (including SWF files) from the Internet in separate sandboxes that correspond to their website origin domains. By default, these files are authorized to access any resources from their own server. Remote SWF files can be allowed to access additional data from other domains by explicit website and author permissions, such as URL policy files and the Security.allowDomain() method. For details, see Website controls (policy files) and Author (developer) controls.

Remote SWF files cannot load any local files or resources.

For more information on Flash Player security, see the Flash Player Developer Center topic “Security” at www.adobe.com/go/devnet_security_en.

Local sandboxes

Local file describes any file that is referenced by using the file: protocol or a Universal Naming Convention (UNC) path. Local SWF files are placed into one of four local sandboxes:

  • The local-with-filesystem sandbox—For security purposes, Flash Player places all local SWF files and assets in the local-with-file-system sandbox, by default. From this sandbox, SWF files can read local files (by using the URLLoader class, for example), but they cannot communicate with the network in any way. This assures the user that local data cannot be leaked out to the network or otherwise inappropriately shared.

  • The local-with-networking sandbox—When compiling a SWF file, you can specify that it has network access when run as a local file (see Setting the sandbox type of local SWF files).These files are placed in the local-with-networking sandbox. SWF files that are assigned to the local-with-networking sandbox forfeit their local file access. In return, the SWF files are allowed to access data from the network. However, a local-with-networking SWF file is still not allowed to read any network-derived data unless permissions are present for that action, through a URL policy file or a call to the Security.allowDomain() method. In order to grant such permission, a URL policy file must grant permission to all domains by using <allow-access-from domain="*"/> or by using Security.allowDomain("*"). For more information, see Website controls (policy files) and Author (developer) controls.

  • The local-trusted sandbox—Local SWF files that are registered as trusted (by users or by installer programs) are placed in the local-trusted sandbox. System administrators and users also have the ability to reassign (move) a local SWF file to or from the local-trusted sandbox based on security considerations (see Administrator controls and User controls). SWF files that are assigned to the local-trusted sandbox can interact with any other SWF files and can load data from anywhere (remote or local).

  • The AIR application sandbox—This sandbox contains content that was installed with the running AIR application. By default, files in the AIR application sandbox can cross-script any file from any domain. However, files outside the AIR application sandbox are not permitted to cross-script the AIR file. By default, files in the AIR application sandbox can load content and data from any domain.

Communication between the local-with-networking and local-with-filesystem sandboxes, as well as communication between the local-with-filesystem and remote sandboxes, is strictly forbidden. Permission to allow such communication cannot be granted by an application running in Flash Player or by a user or administrator.

Scripting in either direction between local HTML files and local SWF files—for example, using the ExternalInterface class—requires that both the HTML file and SWF file involved be in the local-trusted sandbox. This is because the local security models for browsers differ from the Flash Player local security model.

SWF files in the local-with-networking sandbox cannot load SWF files in the local-with-filesystem sandbox. SWF files in the local-with-filesystem sandbox cannot load SWF files in the local-with-networking sandbox.

Setting the sandbox type of local SWF files

You can configure a SWF file for the local-with-filesystem sandbox or the local-with-networking sandbox by setting the document’s publish settings in the authoring tool.

An end user or the administrator of a computer can specify that a local SWF file is trusted, allowing it to load data from all domains, both local and network. This is specified in the Global Flash Player Trust and User Flash Player Trust directories. For more information, see Administrator controls and User controls.

For more information on local sandboxes, see Local sandboxes.

The Security.sandboxType property

An author of a SWF file can use the read-only static Security.sandboxType property to determine the type of sandbox to which Flash Player has assigned the SWF file. The Security class includes constants that represent possible values of the Security.sandboxType property, as follows:

  • Security.REMOTE—The SWF file is from an Internet URL, and operates under domain-based sandbox rules.

  • Security.LOCAL_WITH_FILE—The SWF file is a local file, but it has not been trusted by the user and was not published with a networking designation. The SWF file can read from local data sources but cannot communicate with the Internet.

  • Security.LOCAL_WITH_NETWORK—The SWF file is a local file and has not been trusted by the user, but it was published with a networking designation. The SWF file can communicate with the Internet but cannot read from local data sources.

  • Security.LOCAL_TRUSTED—The SWF file is a local file and has been trusted by the user, using either the Settings Manager or a Flash Player trust configuration file. The SWF file can both read from local data sources and communicate with the Internet.

  • Security.APPLICATION—The SWF file is running in an AIR application, and it was installed with the package (AIR file) for that application. By default, files in the AIR application sandbox can cross-script any file from any domain. However, files outside the AIR application sandbox are not permitted to cross-script the AIR file. By default, files in the AIR application sandbox can load content and data from any domain.