2 Replies Latest reply on Aug 8, 2008 6:40 AM by roxority.com

    Security restrictions for http://localhost:8080 HTML application?


      I've been skimming over the docs but they deal with all kinds of "security scenarios" that can arise by combining local and remote HTML / Script / Flash contents.

      Now here is my scenario: the application will be served in its ENTIRETY by a separate web server that will ALWAYS run locally (i.e. always localhost, the same machine as the "AIR client, and the server will be a light-weight embedded Python server such as wsgiref). So in the .air there will likely only be a single entry-point HTML file that would ideally redirect to say http://localhost:8080 via JavaScript location.replace().

      Now, what can and what can't the JavaScripts included in the HTML content generated by the web server do? What kind of settings can be tweaked to allow or disallow certain actions? Out of the box, even without redirecting, pretty standard HTML/JavaScript DOM read operations such as alert(elem.innerHTML) don't seem to work. On the other hand, when I load DOM-intensive applications such as the samples on http://extjs.com directly in the AIR HTML window, no problems. So what's the logic here---I don't get it.

      I don't need all the bells and whistles provided by AIR---especially things the localhost server can do (such as accessing local files) won't be done in client script. However, I'd like drag/drop and the clipboard. And of course, you know, full DOM manipulation (which is kind of one of the basic pillars of a "rich" internet application).

      So, what can are the things http://localhost-provided HTML content can do out-of-the-box and in case the answer isn't "everything", then what attributes/options can be set to restrict or expand what http://localhost-provided HTML content can do?