allow application content to safely cross-script content loaded
from outside the application install directory, you can use frame or iframe elements
to load application content into the same security sandbox as the
external content. If you do not need to cross-script remote content,
but still wish to load a page of your application outside the application
sandbox, you can use the same technique, specifying http://localhost/ or
some other innocuous value, as the domain of origin.
AIR adds the new attributes, sandboxRoot and documentRoot,
to the frame element that allow you to specify whether an application
file loaded into the frame should be mapped to a non-application
sandbox. Files resolving to a path underneath the sandboxRoot URL
are loaded instead from the documentRoot directory.
For security purposes, the application content loaded in this way
is treated as if it was actually loaded from the sandboxRoot URL.
The sandboxRoot property specifies the URL to
use for determining the sandbox and domain in which to place the
frame content. The file:, http:,
or https: URL schemes must be used. If you specify
a relative URL, the content remains in the application sandbox.
The documentRoot property specifies the directory
from which to load the frame content. The file:, app:,
or app-storage: URL schemes must be used.
The following example maps content installed in the sandbox subdirectory
of the application to run in the remote sandbox and the www.example.com domain:
from the local, sandbox folder using the following
It could also load content from a directory on the remote server
using a script tag such as the following:
The sandboxRoot URL will mask any content at
the same URL on the remote server. In the above example, you would
not be able to access any remote content at www.example.com/local/ (or
any of its subdirectories) because AIR remaps the request to the
local application directory. Requests are remapped whether they
derive from page navigation, from an XMLHttpRequest, or from any
other means of loading content.