Saturday, January 31, 2009

Flash Player SecurityError: Error #2060

This post starts with a security error echoed by Flash Player: I'm talking about Error #2060, an error that is associated with the use of ExternalInterface.call.

For those of you that just don't remember what ExternalInterface is responsible of, I have to say that this class allows ActionScript to "talk" with the Flash Player container: in my current example, I was calling a JavaScript function from inside ActionScript. My idea was to allow ActionScript to run a user-specified Windows program through the intermediation of the ActiveX WScript.Shell, instantiated in a IE-managed HTML page.

So, the code for the ActionScript part looked like this:
<?xml version="1.0" encoding="utf-8"?>
<mx:Application xmlns:mx="http://www.adobe.com/2006/mxml"
layout="absolute" width="402" height="22"
backgroundColor="white">
<mx:Script>
<![CDATA[
private static const JS_FUNCTION_NAME: String = "jsRunProgram";

private function callExternalProgram(programName:String):void {
if (ExternalInterface.available) {
ExternalInterface.call(JS_FUNCTION_NAME, programName);
}
}
]]>
</mx:Script>
<mx:Label text="External program to call:"
y="0"
fontWeight="bold"/>
<mx:TextInput id="txtProgramName"
text="notepad"
x="151" y="-2" width="198"
enter="callExternalProgram(txtProgramName.text)"/>
<mx:Button label="Run" x="352" y="-2"
click="callExternalProgram(txtProgramName.text)"/>
</mx:Application>

... and inside HTML page I had this JavaScript fragment:
<script language="javascript" >
function jsRunProgram(programName) {
shellObj = new ActiveXObject("WScript.Shell");
shellObj.run(programName);
}
</script>

The idea here is not obvious, but pretty simple: the user enters a program name in a Flex TextInput, then presses the Enter key and voilĂ ... ActionScript calls the JavaScript function jsRunProgram providing it with the text just entered by the user. JavaScript, in turn, instantiates the ActiveX WScript.Shell and instructs it to run the program entered by the user. This way, ActionScript can run every Windows program the user typed: notepad, iexplore, cmd... just to name a few.

I developed this solution inside Adobe Flex Builder. Now, when I opened
inside the Flex Builder browser the HTML page containing the Flash control corresponding to the ActionScript code, all ran as expected. Cool!

The surprise came out when I closed the Flex Builder browser and tried to open the same page in IE. I couldn't believe my eyes: everytime ActionScript tried to call JavaScript a Flash error popped out complaining about error 2060: Security sandbox violation.

This behavior sounded so unbelievable to me for several reasons:
  1. Inside Flex Builder browser it ran without problems
  2. I couldn't imagine why Flash player had security concerns for accessing its containing HTML page.
I spent about a half weekend finding a solution.

Firstly, I browsed the Internet and I discovered that the same problem is not so uncommon. Some people suggest to deploy all the files in a web sever and, instead of accessing the HTML page via file system, access it via a HTTP connection to the web server. They say it works, but I was not interested in that solution primarily because I didn't want to introduce a web server.
So I didn't try that solution.

I found two different solutions.

The first:
  1. Change Flash Player security settings to allow it to access the local directory containing the HTML page. (To change Flash Player settings it's required to call this URL)
  2. Change IE security settings to allow the use of ActiveX WScript.Shell
The second:
  1. Rename the HTML page to HTA.

No comments: