I've been skimming over the docs but they deal with all kinds
of "security scenarios" that can arise by combining local and
remote HTML / Script / Flash contents.
Now here is my scenario: the application will be served in
its ENTIRETY by a separate web server that will ALWAYS run locally
(i.e. always localhost, the same machine as the "AIR client, and
the server will be a light-weight embedded Python server such as
wsgiref). So in the .air there will likely only be a single
entry-point HTML file that would ideally redirect to say
HTML content generated by the web server do? What kind of settings
can be tweaked to allow or disallow certain actions? Out of the
read operations such as alert(elem.innerHTML) don't seem to work.
On the other hand, when I load DOM-intensive applications such as
the samples on
http://extjs.com directly in the AIR
HTML window, no problems. So what's the logic here---I don't get
I don't need all the bells and whistles provided by
AIR---especially things the localhost server can do (such as
accessing local files) won't be done in client script. However, I'd
like drag/drop and the clipboard. And of course, you know, full DOM
manipulation (which is kind of one of the basic pillars of a "rich"
Have a dummy HTML page in your app. This will have access to
all AIR APIs. This HTML page can have an iframe pointing to your
localhost/whatever.jsp. Now the page in the IFRAME will be in a
non-application sandbox and won't be able to access AIR APIs.
But a bridge between the iframe and parent can be established
by means of which you can effectively have access to clipboard.