AIR and Policy Files

Report · Mar 16, 2014

I have an AIR desktop application that needs to get information from a website that uses cURL examples in the docs. Using some examples I've found, I think I'm getting close to mimicing the commands in ActionScript but my understanding of AIR security is terrible. I've read everything I can get my hands on (big mistake, with all the changes during the last few years on the security model). Can someone confirm my understanding?

If my application is going to request info from an API, because it's a SWF file, there should be a URL policy file and a Master Policy file on their server, preferably hosted on port 843.

All of the examples I see related to SWF files coming from FLEX (i.e., within an HTML page). Does this mean AIR doesn't need a policy file?

If it does, what is the format for an application policy, rather than a domain. Adobe's example is:

<?xml version="1.0"?>

<cross-domain-policy>

<allow-access-from domain="*.example.com" />

<allow-access-from domain="www.friendOfExample.com" />

<allow-access-from domain="192.0.34.166" />

</cross-domain-policy>

But what if the "domain" is 'app:/MyApp.swf', as far as I can tell. Any help, greatly appreciated.

Report · Mar 18, 2014

I don't have any experience with AIR desktop apps, but I have created several mobile and Facebook AIR/AS3 apps that connect to various API. In this case, yes, they still need the policy file to be present as far as I know - though in my case some versions of the app connect from teh Flash Player (embedded in HTML) and some as native apps, so I am not totally sure that the cross domain file is required for the app version.

The easy way to allow access from anywhere is to <allow-access-from domain="*" />, but obviously that is not as secure!

Adobe Community

AIR and Policy Files