FlashPlayerTrust: Some flash security notes
July 29, 2006
If you never delved into flash security stuff, this might interest you: Probably you know that since Flash 8 you can choose between “local access” and “network access” in the publish settings, i.e. your exported flash movie can access either local data or remote data. If your local flash movie loads both a local xml file and remote data from a live web server (e.g. via amfphp) and you test the movie in the standalone player or the browser, you get this flash player security warning (you don’t get the warning if you test your movie in flash or if you deploy your movie to a web server).
A click on “Settings” takes you to the Macromedia (Adobe) website and displays the settings manager where you can add the url to the sites which are “local-trusted” (can access both local and remote data). After a reload of your flash movie, the warning is gone. That’s fine, but the whole procedure is a bit cumbersome – particularly if you cleanup your hard drive via tools which wipe out all browser data (cookies, so’s etc.) and you have to reenter all trusted urls.
Until a short time ago I didn’t really bother reading through the flash help and finding out if there’s another way to add local-trusted data and not use the settings manager each time (seems like one should definitely read some docs about flash player security ;)): Just add a folder called “FlashPlayerTrust” into C:\Documents and Settings\[username]\…\Macromedia\Flash Player\#Security and put a .cfg file in that folder where you add all folder paths which you want to be “local-trusted”. For details just search the help files for “FlashPlayerTrust”.
What I found a bit strange: If you have FlashPlayer 9 installed there is an additional “Adobe” folder under Documents and Settings\[username]\…but the “FlashPlayerTrust” folder must still reside under Macromedia\Flash Player\#Security to make it all work.
By the way there’s more important security stuff to read about in the help files like System.security.loadPolicyFile, System.security.allowDomain and of course “crossdomain policy files”. There could be situations and problems which are really hard to debug if you never looked into the System.security package…
Filed under: Flex/AS3