Issue
I'm working on a web-based Flash application for a client which loads an external file from the same directory it is located in on the server. I use a URLRequest to load the file:
loader.load(new URLRequest("Config.xml));
Right now the Config.xml file uses chmod 644, which gives it public read access. However, the client would like to protect the configuration file so that it can't be downloaded by third-parties.
I'm thinking that it won't be possible to hide the file by removing public read permission (chmod 640) because then the Flash document, which is executed client-side, will be unable to read it. My tests seem to confirm this. Is there any way for a Flash app on the web to read a file from the server without exposing it to the public?
Solution
As others have already said, you can't do this. For the SWF to be able to load the file from the client-side it must be public.
A possible solution that might be good enough for your client is to embed the XML file contents in your HTML on the server side, for example as FlashVars or JavaScript output, then the SWF does not need to load the XML file directly and you don't need to make the file public.
For example:
Server-side PHP:
<?php
$xml = file_get_contents("Config.XML");
$encodedXml = rawurlencode($xml);
?>
<object type="application/x-shockwave-flash" data="my-flash.swf" width="550" height="400">
<param name="movie" value="my-flash.swf" />
<param name="FlashVars" value="config=<? echo $encodedXml ?>"/>
</object>
Client-side AS3:
var xml:XML = XML(stage.loaderInfo.parameters.config);
Of course someone could look at your HTML source and decode the XML themself, but any way you get the XML content into your SWF will expose that possibility, to varying levels of difficulty. You could make the encoding more obfuscated (url encoding is easy to spot) or encrypted to make it harder to find.
Answered By - Aaron Beall
