Highlighted

AIR and Policy Files

Advocate ,
Mar 16, 2014

Copy link to clipboard

Copied

I have an AIR desktop application that needs to get information from a website that uses cURL examples in the docs. Using some examples I've found, I think I'm getting close to mimicing the commands in ActionScript but my understanding of AIR security is terrible. I've read everything I can get my hands on (big mistake, with all the changes during the last few years on the security model). Can someone confirm my understanding?

If my application is going to request info from an API, because it's a SWF file, there should be a URL policy file and a Master Policy file on their server, preferably hosted on port 843.

All of the examples I see related to SWF files coming from FLEX (i.e., within an HTML page). Does this mean AIR doesn't need a policy file?

If it does, what is the format for an application policy, rather than a domain. Adobe's example is:

<?xml version="1.0"?>

<cross-domain-policy>

    <allow-access-from domain="*.example.com" />

    <allow-access-from domain="www.friendOfExample.com" />

    <allow-access-from domain="192.0.34.166" />

</cross-domain-policy>

But what if the "domain" is 'app:/MyApp.swf', as far as I can tell. Any help, greatly appreciated.

TOPICS
Development

Views

305

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

AIR and Policy Files

Advocate ,
Mar 16, 2014

Copy link to clipboard

Copied

I have an AIR desktop application that needs to get information from a website that uses cURL examples in the docs. Using some examples I've found, I think I'm getting close to mimicing the commands in ActionScript but my understanding of AIR security is terrible. I've read everything I can get my hands on (big mistake, with all the changes during the last few years on the security model). Can someone confirm my understanding?

If my application is going to request info from an API, because it's a SWF file, there should be a URL policy file and a Master Policy file on their server, preferably hosted on port 843.

All of the examples I see related to SWF files coming from FLEX (i.e., within an HTML page). Does this mean AIR doesn't need a policy file?

If it does, what is the format for an application policy, rather than a domain. Adobe's example is:

<?xml version="1.0"?>

<cross-domain-policy>

    <allow-access-from domain="*.example.com" />

    <allow-access-from domain="www.friendOfExample.com" />

    <allow-access-from domain="192.0.34.166" />

</cross-domain-policy>

But what if the "domain" is 'app:/MyApp.swf', as far as I can tell. Any help, greatly appreciated.

TOPICS
Development

Views

306

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Mar 16, 2014 0
Engaged ,
Mar 18, 2014

Copy link to clipboard

Copied

I don't have any experience with AIR desktop apps, but I have created several mobile and Facebook AIR/AS3 apps that connect to various API.  In this case, yes, they still need the policy file to be present as far as I know - though in my case some versions of the app connect from teh Flash Player (embedded in HTML) and some as native apps, so I am not totally sure that the cross domain file is required for the app version.

The easy way to allow access from anywhere is to <allow-access-from domain="*" />, but obviously that is not as secure!

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 18, 2014 0