GUESS WHAT PEOPLE. Adobe AIR security sandboxing is gnarly! One case where this bit me was in my attempts to use Google’s YouTube API Player. The player.swf tries to load another remote SWF and is immediately killed by the AIR runtime for causing a “SecuritySandboxViolation”.

What’s going on here?

There are four security sandboxes that ActionScript code can run in:

• local-with-filesystem: no net access.
• local-with-network: no file access.
• local-trusted: all good! Can only use it during development, though.
• application: total control of the user’s computer*. AIR only.

According to Adobe’s docs,

There are a number of design and implementation patterns common to web applications that are too dangerous to be combined with the local system access inherent in the AIR application sandbox…. runtime script importing of remote content has been disabled in the application sandbox.

Compile-time script importing is allowed — that’s why we’re able load the YouTube API player (henceforth “apiplayer”) by hardcoding its URL into the AIR app. But the apiplayer tries to load a third SWF, which brings down the “no remote content” hammer. The apiplayer isn’t actually in the application sandbox — it can’t access any of the AIR APIs — but let’s play along: we’ll load it into local-with-network sandbox, where there’s no restriction on remote content loading.

Is there an API for this? No.

My workaround:

• Create a “mediator.swf”, bundled into the AIR app package. Unfortunately, this places it in the application sandbox.
• On first run, the AIR app copies mediator.swf to the user’s Documents directory, which is perfectly kosher as far as the AIR runtime is concerned. #okay
• Use Loader to load mediator.swf, placing it into the local-with-network sandbox.
• mediator.swf loads http://www.youtube.com/apiplayer?version=3
• apiplayer now loads its tertiary SWF with no problems.
• mediator.swf, being in a different sandbox, can’t communicate with my AIR app directly, so it asks it for a YouTube URL using parentSandboxBridge
• mediator.swf then passes the URL to the youtube API player, which plays the video.
• Rube Goldberg smiles benevolently from the afterlife.