Hey guys, long time no see. :}
I’m building a Flash arcade system that people can deploy to their own websites, which loads its Flash content into a security sandbox. Basically, I’m interested in finding a way to prevent a loaded SWF from accessing the stage.
As you know, once an object in a loaded SWF has access to the stage, it can use event listeners to secure itself to the display list, circumvent Loader.unloadAndStop(), and potentially conduct malicious activities such as key logging. I’m looking to prevent that.
Thankfully, Flash automatically puts SWFs in a sandbox when they’re loaded in a domain or subdomain that is different from the parent SWF’s. However, the market I’m targeting with this arcade system will probably not have a clear grasp of these concepts, and it’s very likely that they will load a SWF into the arcade from the same domain, and that SWF can be malicious. Therefore I’m trying to sandbox content loaded from the same domain as the loader SWF.
So far I’ve tried a couple of tricks, which I’ll enumerate in a couple of posts after this one. If anyone else has any ideas, I’d really like to hear them. (That’s why I’m posting this.) If there’s a solution to this that works simply and without making too many assumptions about the users’ or their host servers’ capabilities, the Flash Platform would become a bit safer.
