The files you install with the AIR application have access to
the AIR APIs. For security reasons, content from other sources do
not. For example, this restriction prevents content from a remote
domain (such as http://example.com) from reading the contents the
user’s desktop directory (or worse).
Because
there are security loopholes that can be exploited through calling
the
eval()
function (and related APIs), content
installed with the application, by default, is restricted from using
these methods. However, some Ajax frameworks use the calling the
eval()
function
and related APIs.
To properly structure content to work in an AIR application,
you must take the rules for the security restrictions on content
from different sources into account. Content from different sources
is placed in separate security classifications, called sandboxes
(see
Security sandboxes
). By default, content installed with the application
is installed in a sandbox known as the
application
sandbox,
and this grants it access to the AIR APIs. The application sandbox
is generally the most secure sandbox, with restrictions designed
to prevent the execution of untrusted code.
The runtime allows you to load content installed with your application
into a sandbox other than the application sandbox. Content in non-application sandboxes
operates in a security environment similar to that of a typical
web browser. For example, code in non-application sandboxes can
use
eval()
and related methods (but at the same
time is not allowed to access the AIR APIs). The runtime includes
ways to have content in different sandboxes communicate securely
(without exposing AIR APIs to non-application content, for example).
For details, see
Cross-scripting content in different security sandboxes
.
If you call code that is restricted from use in a sandbox for
security reasons, the runtime dispatches a JavaScript error: “Adobe
AIR runtime security violation for JavaScript code in the application
security sandbox.”
To avoid this error, follow the coding practices described in
the next section,
Avoiding security-related JavaScript errors
.
For more information, see
HTML security in Adobe AIR
.