Flash Player Embedding and Local Security

It is possible to build local applications that embed Flash Player, including it as a component in a custom GUI. This applies only to native local applications, built as exectuable programs.

Macromedia currently does not provide support for this type of usage of Flash Player but we do not forbid it either. Using Flash Player in your application is risky because you cannot redistribute Flash Player with your application, which forces you to depend on whatever version of Flash Player is installed on your users’ computers. Since users may upgrade Flash Player at any time, this leaves your application vulnerable to unanticipated changes in behavior.

Despite these problems, Macromedia makes an effort to avoid causing undue pain for applications that embed Flash Player.

Flash Player 8 and higher have the following local security behavior in embedding situations:

• The Flash Player ActiveX control, when it detects that it is hosted inside a non-browser container, will disable the new local security rules, placing all local SWFs in the local-trusted sandbox. This is true even if the ActiveX control is instantiated within an instance of the Internet Explorer ActiveX control which, in turn, is hosted inside a non-browser container. Note that it is only the ultimate container application that matters, so if you maintain an ActiveX control that embeds the Flash Player ActiveX control, and your ActiveX control is, in turn, embedded within Internet Explorer, Flash Player will detect that it is running within a browser and will enable local security.
• Flash Player plug-in players do not detect whether their container is a browser or not; they always enable the new local security rules by default. However, if end users (using the Settings Manager) or installers (using FlashPlayerTrust configuration files) designate trust for the path of an executable application that embeds a Flash Player plug-in, the plug-in will disable the new local security rules when embedded inside that executable.

• ActiveX and plug-in players have exported APIs that permit hosting applications to elect whether they wish the new local security rules to be enforced or not. These APIs must be called very early in the Flash Player lifecycle before any content is loaded. They are as follows:

  ActiveX (IDispatch APIs):
   HRESULT IShockWaveFlash::EnforceLocalSecurity()
    HRESULT IShockWaveFlash::DisableLocalSecurity()           

  Plugins (DLL exports):
   NPError Flash_EnforceLocalSecurity()  
  NPError Flash_DisableLocalSecurity()           

If you are developing a local application that embeds Flash Player, you should make an explicit decision as to whether you want the local security rules enabled or disabled and call the appropriate API. In general, if your usage of Flash Player includes playing SWF content from sources you do not control, such as from the Internet, you should elect to enable local security rules. On the other hand, if you are playing only specific SWFs that you control and ship with your application, you may find it convenient to disable local security for maximum flexibility.