Hello!
I want to run remote code in my AIR application within the same security sandbox. I found this article http://blogs.adobe.com/emalasky/2008/04/remote_plugins.html which describes quite shallow how to do it:
So to pull this content in safely, you need to prove that you can trust it. Given the ease of remote attacks (DNS hacks; man-in-the-middle attacks; owning up the “trusted” server; etc), imported modules must be signed, and the signature must be verified before loading the content.
First, sign your modules. I’m pretty sure you can just use adt for this, then rip the signatures.xml out of META-INF. Then post the modules and signatures.xml
When you download the modules, save them and signatures.xml somewhere in app-storage:/
Use the XMLSignatureValidator class to validate that you downloaded modules that really were signed by you (or some known entity).
- Import the modules into your application sandbox. For SWF, use Loader.loadBytes(), pass a LoaderContext with allowLoadBytesCodeExecution=true. I doubt anyone will do *that* by accident.
My questions:
1.: is this still the way to go in AIR 2.7?
2.: The explanation is very shallow.. could someone explian a bit more indepth how to do this and what steps are required? Or maybe someone knows a good tutorial?
Thanks!