Comments on Flash Player Security and Sandboxes

Flash Player security is a vast topic and it is beyond the scope of this tutorial. We have to mention it, however, as you are very likely to run into sandbox restrictions if you download and run the local files flip_cs4.swf or flip_cs3.swf in the standalone Player on your machine or in any of your browsers. You will notice that the links to the outside URLs that worked when you open webpage no longer work. They do work, however, if you open the corresponding fla files and test the swfs in your Flash CS3 or Flash CS4 Test Players.

That happens because, in each of the cases, the swf files are confined to a different security sandbox. In the three scenarios described above, you are dealing with three different security sandboxes: remote, local-with-filesystem, and trusted-local.

When you are viewing an applet embedded in a web page pulled by your browser from a remote server, say server, the corresponding swf file, say flip_cs4.swf, is in the remote security sandbox. It means, roughly speaking, that the file has access to content and data on the server from which it originated,, and to content from remote servers. That is why the file can open a web page in a different domain. In our case, flip_cs4.swf loaded from the server opens a page located on server. Opening a web page falls under 'loading content' and the file in the remote sandbox is permitted to load content from remote locations. The file, obviously, does not have access to any content or data on your computer. The file cannot 'load data' from remote servers either, unless administrators of those servers took steps that expressly permit such access. The difference between 'loading content' and 'loading data' is subtle. For example, displaying an image from a remote server constitues loading content; accessing the pixel information of the image programmatically falls under accessing content's data.

When you place flip_cs4.swf on you computer and open it in your standalone Flash Player, the file is in local-with-file-system security sandbox. The file has access to content and data on your computer but does not have access to content or data in remote locations. That is why you no longer can open a link to from the local file.

For convenience of developers, an swf file running in the Flash's Test Player is in the security sandbox local-trusted. It has access to local resources as well as to remote resources. Hence, in the Test Player the link to in flip_cs4.swf will work again.

The last security sandbox type is local-with-networking. We will not discuss it in this tutorial.

For detailed discussion of Flash Player security and security sandboxes, we recommend 'Essential ActionScript 3.0' by Colin Moock.

Back to Flash CS4 Tutorials              Back to Flash and Math Home

We welcome your comments, suggestions, and contributions. Click the Contact Us link below and email one of us.

Adobe®, Flash®, ActionScript®, Flex® are registered trademarks of Adobe Systems Incorporated.