[#SDK-10970] [Marshall Plan] AIR: security violation when trying to load remote swf using SWFLoader

Flex SDK

[Marshall Plan] AIR: security violation when trying to load remote swf using SWFLoader

Created: 05/21/07 08:09 PM Updated: 10/14/08 06:10 PM

Component/s:

mx: WindowedApplication

Security Level:

Public (All JIRA Users )

Severity:	Non Functioning
Reproducibility:	Every Time
Discoverability:	Medium
Found in Version:	SDK Flex 3 (Released)
Milestone:	SDK Flex 3.2.0 and SDK Moxie M2 (Beta)
Affected OS(s):	All OS Platforms - All
Steps to Reproduce:	« Hide Steps to reproduce: 1. Compile & run the following using AIR: <?xml version="1.0" encoding="utf-8"?> <mx:WindowedApplication creationComplete="onComplete()" xmlns:mx="http://www.adobe.com/2006/mxml" layout="absolute"> <mx:SWFLoader source="http://dosai.corp.adobe.com/acrobat/groups/shared/mkagita/FlexApp.swf" /> <mx:Script> <![CDATA[ public function onComplete() : void { Security.allowDomain("http://dosai.corp.adobe.com/acrobat/groups/shared/mkagita/"); } ]]> </mx:Script> </mx:WindowedApplication> 2. Run the application Actual Results: SecurityError: Error #2047: Security sandbox violation: parent: http://dosai.corp.adobe.com/acrobat/groups/shared/mkagita/FlexApp.swf cannot access app-resource:/test.swf. at flash.display::DisplayObject/get parent() at mx.managers::SystemManager/::executeCallbacks() at mx.managers::SystemManager/::docFrameHandler() Expected Results: No security error & the SWF loads. Workaround (if any): None. Show » Steps to reproduce: 1. Compile & run the following using AIR: <?xml version="1.0" encoding="utf-8"?> <mx:WindowedApplication creationComplete="onComplete()" xmlns:mx="http://www.adobe.com/2006/mxml" layout="absolute"> <mx:SWFLoader source="http://dosai.corp.adobe.com/acrobat/groups/shared/mkagita/FlexApp.swf" /> <mx:Script> <![CDATA[ public function onComplete() : void { Security.allowDomain("http://dosai.corp.adobe.com/acrobat/groups/shared/mkagita/"); } ]]> </mx:Script> </mx:WindowedApplication> 2. Run the application Actual Results: SecurityError: Error #2047: Security sandbox violation: parent: http://dosai.corp.adobe.com/acrobat/groups/shared/mkagita/FlexApp.swf cannot access app-resource:/test.swf. at flash.display::DisplayObject/get parent() at mx.managers::SystemManager/::executeCallbacks() at mx.managers::SystemManager/::docFrameHandler() Expected Results: No security error & the SWF loads. Workaround (if any): None.
Language Found:	English
Bugbase Id:	none
Needs Release Note:	No
Triaged:	Yes
Regression:	No
QA Owner:	Joann Chuang Anderson
Resolved by:	Alex Harui
Confirmed Version:	SDK Flex 3.2.0 - Next Build
Participants:	Alex Harui, Deepa Subramaniam, Joan Lafferty, Joann Chuang Anderson, Lauren Park, Mathieu Lemaire, Matt Chotin, Raghunath Rao and Tom Bray

All

Comments

Sort Order:

[ Permlink | « Hide ]

Joann Chuang Anderson - [05/21/07 08:10 PM ]

This only happens with WindowedApplication, not Application. This is not an M2 stopper.

[ Permlink | « Hide ]

Lauren Park - [05/22/07 12:44 AM ]

Assigned to Raghu for triage

[ Permlink | « Hide ]

Raghunath Rao - [05/22/07 01:10 AM ]

A Flex Application, when compiled, is by default scoped to the "local-with-network" sandbox. So the use of Security.allowDomain() will let you load remote SWFs. I'm not sure if the AIR security works the same way. Sending for Internal Review

[ Permlink | « Hide ]

Lauren Park - [05/22/07 10:19 PM ]

Opened to Sasha for M2. This may not be appropriate for M2, but I would like to understand the issue better before moving to M3. We should probably M2 release note this issue if we don't resolve.

[ Permlink | « Hide ]

Alex Harui - [05/24/07 07:12 PM ]

Apollo Security says that you cannot use allowDomain to give a remote SWF access to an Apollo application.

A Flex SWF should not RTE in such a scenario, but that is already filed as a separate issue.

[ Permlink | « Hide ]

Joann Chuang Anderson - [05/25/07 06:59 PM ]

Sent email to the original filer. Closing this bug.

[ Permlink | « Hide ]

Mathieu Lemaire - [01/21/08 06:51 AM ]

I still encounter this issue in latest AIR build : SystemManager is attempting to access get parent(), which is restricted by AIR security sandbox...

Alex, which other bug are you talking about ?

[ Permlink | « Hide ]

Joann Chuang Anderson - [01/21/08 05:42 PM ]

Based on customer feedback, I recommend to re-resolve this as Deferred to look into next release per conversation with Alex.

There are other bugs similar to this one, but we'd like to use this one for tracking.

[ Permlink | « Hide ]

Lauren Park - [01/22/08 02:24 AM ]

Release Note.

[ Permlink | « Hide ]

Tom Bray - [01/23/08 07:50 PM ]

This bug prevents me from loading our web-based chat client into an AIR application in which chat is just one of many modules. We update our web-based chat client frequently and don't want to have to update the entire AIR app using the updater API. Our other option would be to load the SWF into an HTML control, but that feature doesn't work with transparent AIR applications so we're stuck.

[ Permlink | « Hide ]

Matt Chotin - [02/15/08 08:10 PM ]

We intend to attempt to address this in a dot release.

[ Permlink | « Hide ]

Alex Harui - [08/13/08 11:31 PM ]

This is fixed by the Marshall Plan

[ Permlink | « Hide ]

Alex Harui - [08/13/08 11:32 PM ]

Fixed by Marshall Plan

[ Permlink | « Hide ]

Joan Lafferty - [08/20/08 06:48 PM ]

Yes, this bug will be addressed by the Marshall Plan feature in Flex 3.2. Closing bug.