FLEX 沙箱安全问题

http://blogs.adobe.com/flexdoc/2008/06/the_security_sandbox_in_flex_b.html
引用

Whether a given SWF, when run locally in a non-trusted location, is local-with-filesystem or local-with-network is a compilation setting. This setting is stored as a flag in the SWF header and is the only compiler flag. The default is local-with-network and has not changed in Flex Builder 3.

What is new with Flex Builder 3 is that we no longer put the release SWF inside the trusted debug output folder by default. The advantage to the developer is that the release SWF will run in the same security sandbox in which it will be deployed. Thus you get accurate application behavior instead of the more permissive local-trusted, which is only available to the developer.

Detailed Answer: In Flex Builder 2 we put the release SWF alongside the debug SWF, which was inside an output folder that we configured the flash player to trust for the following reason:

You could click, debug, and launch your application and have it access network services without first configuring the project to host the SWF on a web server (and thus have to launch it with a proper http:// URL). Basically, you can launch your application from the file system using file:/// URLs.

The problem with this approach is that when testing the release SWF, even if you edited the launch URLs to use http://, you would be running the application out of local-trusted instead of the actual deployment sandbox (remote).

There are other problems with this arrangement, such as facilitating the accidental deployment of both debug and release SWFs in the output folder.

So, for Flex Builder 3 we separated the notion of the Run button from the release SWF. The Run button merely launches the debug-capable SWF with debugging turned off. The Export Release Wizard creates the actual release SWF. Flex Builder 3 encourages you to put the release SWF somewhere other than your debug output folder. Thus, to test the release version, you must launch and test it as an end user would using a browser and web server (that is, unless you actually want the end user to try to run it locally).

Note: Use the custom compiler option, use-network=false, if you want to override the Flex Builder default compiler option. This would change the settings to local-with-filesystem.

Comments
To update this setting in Flex 3 do the following:
1 - Right click on the project folder in the Flex Navigator
2 - Click on the "Flex Compiler" option
3 - Enter a space(not a comma) and then "-use-network=false" without the quotes in the Additional compiler arguments

你可能感兴趣的:(Web,Flex,Security,Flash,Adobe)