Comments on: In-browser AIR functionality http://danny-t.co.uk/index.php/2007/11/19/in-browser-air-functionality/ Web apps fanatic, ramblings on dev for web, mobile and other geeky stuff Wed, 25 Jan 2012 21:06:40 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: DannyT http://danny-t.co.uk/index.php/2007/11/19/in-browser-air-functionality/comment-page-1/#comment-34093 DannyT Thu, 22 Nov 2007 23:50:11 +0000 http://danny-t.co.uk/index.php/2007/11/19/in-browser-air-functionality/#comment-34093 Thanks for the info Ethan, I think the security aspects are going to be something that'll continue to crop up now AIR gets us onto the desktop. I'm still interested in the approach and will try to mock-up a prototype when I get a chance. Thanks for the info Ethan, I think the security aspects are going to be something that’ll continue to crop up now AIR gets us onto the desktop. I’m still interested in the approach and will try to mock-up a prototype when I get a chance.

]]> By: Ethan Malasky http://danny-t.co.uk/index.php/2007/11/19/in-browser-air-functionality/comment-page-1/#comment-34062 Ethan Malasky Thu, 22 Nov 2007 18:15:47 +0000 http://danny-t.co.uk/index.php/2007/11/19/in-browser-air-functionality/#comment-34062 The LocalConnection pattern is already in use by some AIR apps you've seen. Finetune uses it, for instance, to transfer a selected radio station from the browser page to the desktop player. As far as security goes, you're half-correct. Users still (always) need to be vigilant about whose apps they install. But when applications themselves start offering services to other content, the security burden on app developers increases. Clearly, it's not impossible, but it's something developers need to consider. Who is going to be able to call your "saveLocal" function? How do you verify the caller's identity? The level of verification required changes, depending on the level of functionality being exposed. How can your exposed function be abused? Caller-provided paths or filenames are extremely dangerous, as they can be used to give an attacker local access. And on and on. All these concerns can be addressed. But development is likely to be slow, because the price of getting it wrong is so high. The LocalConnection pattern is already in use by some AIR apps you’ve seen. Finetune uses it, for instance, to transfer a selected radio station from the browser page to the desktop player.

As far as security goes, you’re half-correct. Users still (always) need to be vigilant about whose apps they install. But when applications themselves start offering services to other content, the security burden on app developers increases.

Clearly, it’s not impossible, but it’s something developers need to consider. Who is going to be able to call your “saveLocal” function? How do you verify the caller’s identity? The level of verification required changes, depending on the level of functionality being exposed. How can your exposed function be abused? Caller-provided paths or filenames are extremely dangerous, as they can be used to give an attacker local access. And on and on.

All these concerns can be addressed. But development is likely to be slow, because the price of getting it wrong is so high.

]]> By: Mike Weiland http://danny-t.co.uk/index.php/2007/11/19/in-browser-air-functionality/comment-page-1/#comment-33805 Mike Weiland Mon, 19 Nov 2007 15:55:57 +0000 http://danny-t.co.uk/index.php/2007/11/19/in-browser-air-functionality/#comment-33805 I've used this concept before, I've used Director with embeded Flash movies do the heavy lifting on the client side and localconnections between the SWF running in a browser. I haven't tested this with AIR, but the concept shouldn't run into any roadblocks. I’ve used this concept before, I’ve used Director with embeded Flash movies do the heavy lifting on the client side and localconnections between the SWF running in a browser. I haven’t tested this with AIR, but the concept shouldn’t run into any roadblocks.

]]>