SWF and iScreensaver: Security Issues
Using iScreensaver with SWF: security settings
Flash (SWF) files have a security model to prevent malicious activity. Building a screensaver without understanding this model can result in odd behavior.
Here are some hints and tips to consider.
SWF and security settings
SWF files exist in a security "sandbox". Any SWF file that tries to perform a task that would go outside the sandbox will trigger a security error, and the operation will be blocked. This is a reasonable function. The problem is that when the security error is triggered, the end user may or may not see the error message due to the Flash settings they have on their own computer. In addition, when the error message is shown, it can often be behind the screensaver window, which again makes it difficult to see.
If you are using a SWF file, it's wise to consider a possible security violation if you or your users see any of the following behaviors:
- Crashes or locks up the screen with no way to exit
- Assets aren't loaded from URLs
- Button clicks that trigger URLs don't work
- A security violation dialog window shows up
Example of a SWF/Flash Security Violation Dialog Window
What to do:
- First, please read and understand the section on Flash Security Settings
- The safest setting is to use the "Local Sandbox" by publishing with "Local Playback Security: Access local files only" setting. This will, however, prevent your SWF from getting data from the internet.
- As the author, to debug this you may want to set your computer's Flash security settings to "always ask" -- this way you can see when the violations are occurring and get the notification dialog box. Change your settings using Flash Player Global Security Settings Panel"
- Generally, it's not a good idea to just set your flash settings to "Always Allow", unless you are providing the screensaver to computers that are entirely under your control.