Strange URLs when using the Flex SWFLoader
I was recently working on a Flex application that had to import a third-party SWF and use its API. Conversely, it needed to access the stage and add children. It threw up an interesting problem with strange import URLs that I finally solved.
I started with the following:
<mx:SWFloader source="http://www.example.com/external.swf" complete="loadComplete(event)" />
The first security sandbox error was about external.swf not being able to access the stage property. A quick view of the SWFLoader documentation lead to adding the trustContent property:
<mx:SWFloader source="http://www.example.com/external.swf" complete="loadComplete(event)" trustContent="true" />
After switching debugging to a local server on http://flex so that it wasn’t running in the local security sandbox, the stage error went away.
However, I ended up with a very strange URL not found error along the lines of ‘Error #2035: URL Not Found. URL: http://flex/[[IMPORT]]/www.example.com/external2.swf’. Looked like the third-party SWF was in turn trying to load a further SWF. After discussions with the developers, it turned out they were loading another SWF from the same location by using the LoaderInfo.url property.
Digging around in the SWFLoader source, reading lots of documentation about Flash’s security model and lots of unsuccessful searching lead me to what appears to be an undocumented feature. When the external content was imported into my application’s SecurityDomain the loader URL is changed to the one shown above with [[import]] in it. This means that their URL building was failing to produce the correct URL.
The solution was to remove the trustContent property so that the content wasn’t loaded into the security domain. Initially the stage error came back but by adding Security.allowDomain(‘www.example.com’) allowed the loaded SWF access to the stage. The same could have been achieved with a crossdomain.xml, I would have thought.
