I am building application in Flash Builder 4.6.
I allow other users to upload and run they own MovieClips inside my app(movie clips loaded by my app). I provide them with an interface to access my app futures.
I am concerned about abusing, so I wish to protect my self from the next scenarios:
while(true){ ;// kill browser }
Is it possible to protect my app from all that?
I don`t think what you want is completly possible.
Are you loading all the clips in your application domain or a
seperated one? This is the first thing I would change. Even if you
give the extended clip an interface, if it is loaded in the main
application domain, it has access to everything. We devoloped a
bridge to communicate with external clips without the need to
implement them in our application domain. Each clip needs to be
extending a specific baseclass. The whole communication works with
events and the prevent default method.
ExternalInterface calls and navigateToURL with javascript access urls should be permitted if you have set the allowScriptAccess to samedomain only. If you have an interface for calling urls, validate the urls before you navigate to them.
For the last two items i have no answer or simply no it is not possible.
The whole cross site scripting topic is huge. And when you done some facebook app development you know how difficult it is to meantaine security and usibility for the developers.