Attackers can bypass the as3 Security Sandbox and load SWF across domains.

The Security Sandbox of as3 is really helpless. This article is only used to solve a specific problem, that is, the SWF file on server a accesses files on server B through HTTP, in this case, even if allowdomain is set on server B. XML does not help. The files loaded on server B are excluded from the required allowdomain. security. allowdomain ("*") can eliminate the Security Sandbox (Note: Only SWF files can be set at this time, and images cannot be set ). For files that cannot use security. allowdomain ("*"), we can use the following method.

When loading an external file using loader, if no error occurs, the file can be loaded successfully, but flash reports a Security Sandbox error when using the file, you can bypass the security sandbox in one way. The specific operations are as follows:

1. First, use a loader to load an external SWF and listen to the event. Complete Event of loader. contentloaderinfo;

2. After the loader is loaded successfully, do not use the loaded loader for the moment. Instead, write another loader and use loader. loadbytes () to load the contentloaderinfo. bytes of the first loader;

3. After the second loader is loaded successfully, you can use the loaded file;

Sample Code:

Public Function load (): void
{
// The first loader is used to load files using URLs.
VaR loader1: loader = new loader ();
Loader1.contentloaderinfo. addeventlistener (event. Complete, loader1complete );
Loader1.load (New URLRequest ("File URL "));
}

Private function loader1complete (Event: Event): void
{
VaR loaderinfo: loaderinfo = event.tar get as loaderinfo;
// The second loader is used to load the bytes loaded by the first loader.
VaR loader2: loader = new loader ();
Loader2.contentloaderinfo. addeventlistener (event. Complete, loader2complete );
Loader2.loadbytes (loaderinfo. bytes );
}

Private function loader2complete (Event: Event): void
{
// The loaded file can be used here.
// Event.tar get as displayobject
}
Public Function load (): void
{
// The first loader is used to load files using URLs.
VaR loader1: loader = new loader ();
Loader1.contentloaderinfo. addeventlistener (event. Complete, loader1complete );
Loader1.load (New URLRequest ("File URL "));
}

Private function loader1complete (Event: Event): void
{
VaR loaderinfo: loaderinfo = event.tar get as loaderinfo;
// The second loader is used to load the bytes loaded by the first loader.
VaR loader2: loader = new loader ();
Loader2.contentloaderinfo. addeventlistener (event. Complete, loader2complete );
Loader2.loadbytes (loaderinfo. bytes );
}

Private function loader2complete (Event: Event): void
{
// The loaded file can be used here.
// Event.tar get as displayobject
}

Note: when using the above method, you should also note that the allowdomain. xml file exists on server B.