Log in

Stupid Flash tricks: The "local-trusted" security sandbox. - Adventures in Engineering
The wanderings of a modern ronin.

Ben Cantrick
  Date: 2009-11-10 14:54
  Subject:   Stupid Flash tricks: The "local-trusted" security sandbox.

When you run a SWF file, Adobe has set up the Flash security model so that SWF can be one (and only one) of these:

"local-filesystem" - The SWF can access local files, but cannot access any network resources. Including, say, a network socket.

"local-with-networking" - The SWF can access network sockets, but cannot access any local files. (Standard restrictions on network sockets - i.e. crossdomain-policy.xml and such - still apply.)

SWF files that need to communicate via sockets will, of course, need network access. And this will cut them off from loading local files. That probably won't be a big problem most of the time. Your SWFs probably aren't loading stuff from files on the hard drive.

You can change between these two options by re-compiling/re-exporting your SWF file. In CS4 (on the PC) this option is in File/Publish Settings/Flash tab/Local Playback Security. If you're using Flex, this is the "-use-network=yes" command line option to the mxmlc compiler.

However, if for some reason you need both network and file access, there is another way. This only works if you download and install the stand-alone flash player. To be specific, only the DEBUGGER version of the stand-alone flash player.

Once you have downloaded and installed the debugger version of the stand-alone flash player, go to C:\Windows\system32\Macromed\Flash\ (or if you're on a 64-bit Vista, C:\Windows\SysWOW64\Macromed\Flash\).

If there isn't a directory named "FlashPlayerTrust" there, make one. Then, go into that directory and create a text file. You can name the text file anything you want, but by convention these files usually have a ".cfg" extension. I will assume you chose to name the file "example.cfg". Open up your example.cfg with any text editor (Notepad works fine) and put "C:\" in it as the first line. Then save the file.

Basically, what you've just done is to tell the Debug Stand-Alone flash player that if it loads a SWF file from anywhere on C:\, that SWF is to be completely trusted by the flash security model. The SWF file can access local files, AND it can access the network too. This is known as "being in the "local-trusted" sandbox."

Post A Comment | Share | Link

May 2015