...given this situation:
The Flex/AIR app is an in-house e-learning course editor. It handles course preview by loading a course swf and injecting it with xml. The course swf is AS3 and it operates during preview like it does on the web--it gets an xml manifest, then loads other swfs (smart skins), and other material (images, etc).
Ideally, all the swfs and assets would exist outside the AIR package in a network drive so that they could be updated by editors and designers who simply add skins and pictures to the network drive, then open up the app and browse the file system to pick skins and images and have their paths added to the xml. Ideally, too, that network drive would be on a development server, so the main course swf could load swfs from the same place.
Of course this could cause security problems, and indeed, the prototype worked fine while testing in Flash Builder but failed to load the main swf after a release build. So I scurried around the web and found a bunch of different, partial solutions to the problem. I'm not sure which fits the situation best:
1. Clear all global references from the AS3 course framework and components: no reference to Stage, SoundMixer, etc. If I could do this--it is not clear at this point whether this would be possible--would that get rid of security violations? And if all course->editor cross-scripting were banished, would editor-->course cross-scripting (the injecting of the data) still be allowed?
2. Have the AIR app load the course swf via Loader.loadBytes(). But I am not sure that if course swf would then ALSO have to load all its skins with loadBytes(), too. (I really don't want to touch the course code for the sake of the editor.) Also I am not sure if this trick works for swfs loaded from a network drive (part of the file system) rather than the AIR app's applicationStorage.
3. Sign the main course swfs and include their names/paths in a signature xml. I am unclear how to sign a regular AS3 swf (not a Flex module) and whether signing them would solve my problem or just add an extra layer of security that I do not need.
4. Create a sandbox bridge between the AIR app and the main course skin. (This would get rid of the security error if the parent-->child cross-scripting is giving rise to the security error).
5. Create an HTMLLoader and load the main course swf into that. But I have never worked with HTMLLoader and I'm not sure if I can specify a swf url, embed it in the page, load the page, then inject data into the swf.
I'm amazed at how complicated this is, and unsure where to start. And advice?
Flexcoders Mailing List
FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt
Alternative FAQ location: https://share.acrobat.com/adc/document.do?docid=942dbdc8-e469-446f-b4cf-1e62079f6847
Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com
