Specifications
CHAPTER 3
34
The following table shows how the sandbox type is determined:
Browser security
Flash Player clients can be one of the following four types:
• Embedded Flash Player
• Debugger version of embedded Flash Player
• Stand-alone Flash Player
• Debugger version of stand-alone Flash Player
The stand-alone Flash Player runs on the desktop. It is typically used by people who are running applications that
are installed and maintained by an IT department that has access to the desktop on which the application runs.
The embedded Flash Player is run within a browser. Anyone with Internet access can run applications from
anywhere with this player. For Internet Explorer, the embedded player is loaded as an ActiveX control inside the
browser. For Netscape-based browsers (including Firefox), it is loaded as a plug-in inside the browser. Using an
embedded player lets the developer use browser-based technologies such as FORM and BASIC authentication as
well as SSL.
Browser APIs
Applications hosting the Flash Player ActiveX control or Flash Player plug-in can use the EnforceLocalSecurity
and DisableLocalSecurity API calls to control security settings. If DisableLocalSecurity is opened, the application
does not benefit from the local-with-networking and local-with-file-system sandboxes. All files loaded from the
local file system are placed into the local-trusted sandbox. The default behavior for an ActiveX control hosted in
a client application is DisableLocalSecurity.
If EnforceLocalSecurity is opened, the application can use all three local sandboxes. The default behavior for the
browser plug-in is EnforceLocalSecurity.
Cross-scripting
Cross-scripting is when a SWF file communicates directly with another SWF file. This communication includes
calling methods and setting properties of the other SWF file.
use-network Loaded Sandbox type
false locally local-with-filesystem
true locally local-with-network
true network remote
false network n/a (causes an error)