6 Replies Latest reply on Sep 24, 2008 12:19 PM by ntsiii

    Security Error #2028 and Error #2148

    Alessio_Saltarin
      Hello. I'm having this problem in coding a new Flex2 application.

      The application is a simple products displayer which should be run from a CDROM. The CDROM autorun.inf invokes the HTML file which embeds a Flex2/swf application.

      The application should be able to install some software which resides onto the CDROM, thus it needs to invoke the setup files, as in:

      navigateToURL(new URLRequest("setup/Setup.exe"));

      But the application should also be able to navigate to my customer Web Site, calling:

      navigateToURL(new URLRequest('http:/somewebsite.com'));

      Now the problem is that, if I use the compiler flag

      -use-network=true

      I can navigate to my customer web site but I am not able to run program setups (in fact, Error #2148 Only local-with-filesystem and trusted local SWF files may access local resources), but if I set

      -use-network=false

      I cannot navigate to my customer web site, obtaining a SecurityError: Error #2028: Local untrusted file file may not access Internet URL file.

      This is rather annoying. Is there a way to let my application use the local files and visit an external web site?

      Thanks,
      Alessio
        • 1. Re: Security Error #2028 and Error #2148
          peterent Level 2
          You need to place your application into the local-trusted sandbox. This is a list of the directories where SWFs are located that can be trusted to use both the network and the local system.

          Check the Flex 2 documentation about the local-trusted sandbox and this Flash Player security article: http://www.adobe.com/devnet/flashplayer/articles/flash_player_8_security.pdf

          • 2. Re: Security Error #2028 and Error #2148
            Alessio_Saltarin Level 1
            Ok. In the document you indicate I read:

            "Depending on whether Flash Player will be embedded in a nonbrowser application, one of two strategies may be appropriate: register SWF files and HTML files to be trusted, or register applications to be trusted."

            If I understand well, in my case I must deploy the executable setup files in the

            system\Macromed\Flash\FlashPlayerTrust

            directory, or place the HTML and SWF file in that directory.

            None of them is an option for me, because the user DOES NOT WANT to install anything on its PC, he just want to browse for the applications that reside on the CDROM.

            The fact is: I do not want to place my application in the local-trusted sandbox, if this means that I have to "install" the application.

            Am I missing something? Is there a way to tell the application that

            1) The files on CDROM are "trusted" -- or ---
            2) The Web Sites my application links to, are "trusted"...?

            • 3. Re: Security Error #2028 and Error #2148
              peterent Level 2
              You don't need to put the SWF into the trusted directory, you just have to have the directory where the SWF will be launched from in the local-trusted list. Which means the end-user has to take some action. It could be by running a small set-up program from the CD which puts the CD's directory (eg, D:\) into the local-trusted list.

              Our security system is set up to prevent people from deploying SWFs which could be harmful. Any action to be done on the end-user's computer (accessing camera, microphone, files) MUST be acknowledged by the end-user. Having the end-user register your app as local-trusted is part of that security. We do not want anything to be automatic by design.
              • 4. Re: Security Error #2028 and Error #2148
                evivs
                Hey Alessio: How did you fix this ? I am running into something similar but don't know how to resolve it?
                • 5. Re: Security Error #2028 and Error #2148
                  AlessioSaltarin
                  I simply was not able to fix that. I am rather convinced that the security options of FLEX are way to strong and they actually prevent you to develop an application the way you want.

                  Anyway, I chose the option

                  -use-network=false

                  so the user can install an application from the CDROM, but he will not be able to navigate outside by clicking on a URL. (The "trust" options of the above answers do not apply, since I must release my application to unknown customers...)

                  Still I do not understand why opening a browser URL is considered SO DANGEROUS by the Flex engine...
                  • 6. Re: Security Error #2028 and Error #2148
                    ntsiii Level 3
                    It is not the Flex engine. It is both the Flash Player and the browser together.

                    It is required because html pages pass through firewalls and html pages host swfs. Having a malicious swf behind a firewall that can communicate with its masters is hideously dangerous.

                    Gooogle this, you will find all the discussion you could ever want.

                    Note, you can run your Flex app in AIR without such extreme security restrictions.