The
Loader.loadBytes()
method
provides a way for an application to generate SWF content from a
byte array. However, injection attacks on data loaded from remote
sources could do severe damage when loading content. This is especially
true when loading data into the application sandbox, where the generated
SWF content can access the full set of AIR APIs.
There
are legitimate uses for using the
loadBytes()
method
without generating executable SWF code. You can use the
loadBytes()
method
to generate an image data to control the timing of image display,
for example. There are also legitimate uses that
do
rely
on executing code, such as dynamic creation of SWF content for audio
playback. In AIR, by default the
loadBytes()
method
does
not
let you load SWF content; it only allows you to
load image content. In AIR, the
loaderContext
property
of the
loadBytes()
method has an
allowLoadBytesCodeExecution
property,
which you can set to
true
to explicitly allow the
application to use
loadBytes()
to load executable
SWF content. The following code shows how to use this feature:
var loader:Loader = new Loader();
var loaderContext:LoaderContext = new LoaderContext();
loaderContext.allowLoadBytesCodeExecution = true;
loader.loadBytes(bytes, loaderContext);
If
you call
loadBytes()
to load SWF content and the
allowLoadBytesCodeExecution
property
of the LoaderContext object is set to
false
(the
default), the Loader object throws a SecurityError exception.
Note:
In a future release of Adobe
AIR, this API may change. When that occurs, you may need to recompile
content that uses the
allowLoadBytesCodeExecution
property
of the LoaderContext class.