GUESS WHAT PEOPLE. Adobe AIR security sandboxing is gnarly! One case where this bit me was in my attempts to use Google’s YouTube API Player. The player.swf tries to load another remote SWF and is immediately killed by the AIR runtime for causing a “SecuritySandboxViolation”.
What’s going on here?
There are four security sandboxes that ActionScript code can run in:
According to Adobe’s docs,
There are a number of design and implementation patterns common to web applications that are too dangerous to be combined with the local system access inherent in the AIR application sandbox…. runtime script importing of remote content has been disabled in the application sandbox.
Compile-time script importing is allowed — that’s why we’re able load the YouTube API player (henceforth “apiplayer”) by hardcoding its URL into the AIR app. But the apiplayer tries to load a third SWF, which brings down the “no remote content” hammer. The apiplayer isn’t actually in the application sandbox — it can’t access any of the AIR APIs — but let’s play along: we’ll load it into local-with-network sandbox, where there’s no restriction on remote content loading.
Is there an API for this? No.
My workaround: