HTML security

HTML content has different security considerations than SWF-based content, primarily due to the ability of JavaScript to create dynamically generated code. Dynamically generated code, such as that which is made when calling the eval() function, could pose a security risk if allowed within the application sandbox. For example, an application could inadvertently execute a string loaded from a network sandbox, and that string may contain malicious code, such as code to delete or alter files on the user’s computer or to report back the contents of a local file to an untrusted network domain.

Ways to generate dynamic code include the following:

Calling the eval() function.
Setting innerHTML properties or calling DOM functions to insert script tags to load a script outside the resource directly.
Setting innerHTML properties or calling DOM functions to insert script tags that have in-line code (rather than loading a script via the src).
Setting the src for script tags for content in the application sandbox to a file that is not in the application resource directory.
Using the javascript URL scheme (as in href="javascript:alert('Test')" ).

Code in the application security sandbox can only use these methods while content is loading from application directory. This prevents code in the application sandbox, which has access to the full AIR APIs, from executing scripts from potentially untrusted sources.

Content from non-application security sandboxes can generate dynamic code using these methods. However, they do not have direct access to the AIR APIs. The AIR sandbox bridge feature provides means for code in non-application security sandboxes to interact with code in the application sandbox in ways that are limited and decided by the application code.

AIR applications can generate HTML content from string variables (rather than loading them from files or network sources). However, by default, HTML content generated by strings is not given application sandbox privileges. This prevents the application from inadvertently granting application access to string content obtained from potentially unsafe internet sources.

Note: On mobile devices, AIR uses the web control provided by the host operating system. Content running in this control does not have access to the AIR APIs and is never loaded or executed in the application security sandbox.

For details on HTML security, see “AIR Security” in the developer documentation:

For ActionScript (Flash and Flex) developers, see AIR Security in the ActionScript 3.0 Developer’s Guide.
For Ajax developers, see AIR Security in the HTML Developer’s Guide for Adobe AIR.

Also, see the Adobe AIR HTML Security white paper.