I’m loading untrusted content into the non-application sandbox in the form of a module that inherits from a public Module class. This class is defined in the application content and the non-application content. Now, I’m passing Module instances from the non-application sandbox to the application sandbox through the LoaderInfo’s childSandboxBridge property. Flash serializes all the data passed over the sandbox bridge, probably in AMF format. That means when I pass a Module through the bridge, it comes out an Object.
That’s unsatisfactory for me; by identifying the type of the passed data as Module, I can verify that the untrusted content has the proper interface to work with my application. How can I de-serialize the data passed over the bridge, when the class definition is on both sides of the bridge?
I’ve been trying to use registerClassAlias, but I have no idea how to integrate it into the sandbox bridge system. Help!
