If you follow the rules of the Marshall Plan and load sub-applications, you shouldn’t need to use bytearrays and allowCodeImport. Otherwise, I don’t know of any other way.
I might be wrong but in the Marshall Plan there's no way described to load arbitrary swfs and completely disable the code (if, for instance, you just want to display the graphic asset in the swf).
It seems like the most you can do to restrict a swf is load it into a sandbox...is that true?
Thanks again for your thoughts
That’s correct. The idea is to run loaded code in a sandbox. If you are just trying to pull assets from a SWF, why is there code that you need to run?
My motivation is to visually display an arbitrary swf (perhaps some user exported an Illustrator file as a swf, or created on in Flash CS5, etc.) without worrying about arbitrary and perhaps malicious code. So it's best to make sure no code can run. But it seems like what you're saying is that the best option is to rely on the sandbox restrictions.
Ideally, it would be better to use FXG as some kind of transfer format for visual images, but unfortunately it's not easy to just load FXG at runtime. Hence the use of the swf format.