The Security Sandbox in Flex Builder 3

We recently received a question from a user about Flex Builder security sandbox settings. I thought the answer to this question would be of general interest.

Question: In Flex Builder 2, the security sandbox settings for both debug mode and release mode was local-trusted. In Flex Builder 3, why is release mode now local-with-network?

Short Answer: Whether a given SWF, when run locally in a non-trusted location, is local-with-filesystem or local-with-network is a compilation setting. This setting is stored as a flag in the SWF header and is the only compiler flag. The default is local-with-network and has not changed in Flex Builder 3.

What is new with Flex Builder 3 is that we no longer put the release SWF inside the trusted debug output folder by default. The advantage to the developer is that the release SWF will run in the same security sandbox in which it will be deployed. Thus you get accurate application behavior instead of the more permissive local-trusted, which is only available to the developer.

Detailed Answer: In Flex Builder 2 we put the release SWF alongside the debug SWF, which was inside an output folder that we configured the flash player to trust for the following reason:

You could click, debug, and launch your application and have it access network services without first configuring the project to host the SWF on a web server (and thus have to launch it with a proper http:// URL). Basically, you can launch your application from the file system using file:/// URLs.

The problem with this approach is that when testing the release SWF, even if you edited the launch URLs to use http://, you would be running the application out of local-trusted instead of the actual deployment sandbox (remote).

There are other problems with this arrangement, such as facilitating the accidental deployment of both debug and release SWFs in the output folder.

So, for Flex Builder 3 we separated the notion of the Run button from the release SWF. The Run button merely launches the debug-capable SWF with debugging turned off. The Export Release Wizard creates the actual release SWF. Flex Builder 3 encourages you to put the release SWF somewhere other than your debug output folder. Thus, to test the release version, you must launch and test it as an end user would using a browser and web server (that is, unless you actually want the end user to try to run it locally).

Note: Use the custom compiler option, use-network=false, if you want to override the Flex Builder default compiler option. This would change the settings to local-with-filesystem.

2 Responses to The Security Sandbox in Flex Builder 3

  1. To update this setting in Flex 3 do the following:1 – Right click on the project folder in the Flex Navigator2 – Click on the “Flex Compiler” option3 – Enter a space(not a comma) and then “-use-network=false” without the quotes in the Additional compiler arguments

  2. A Basu says:

    I have generated one MXML project file in the flex builder 3 and it has generated one HTML and SWF file in the bin-debug output folder. The application is used to display chart and data grid data using HTTP service url= “http://localhost/…/abcd.xml”. When the file is displayed from the local folder and in the local server(browser IE 7.0) it displays both the output file. But when it is tested from remote system in the same network domain ( in IE 7.0 with plug in installed),with necessary url (e.g. http://ip_server/…/abcd.html (or abcd.swf) the file is displayed but no xml data or chart. When I changed the http service url inside the flex file =”http://local_ip_server/…/abcd.xml” and generated, the html generated application remotely accessed with populated chart and data but not updated unless browser is closed and restarted.Can u please help in this matter ?