We have a Flash app (AS3). This is a desktop application that runs in our own projector. No Air. The projector is written in C++. The projector gives Flash part an indirect access to Windows API via ExternalInterface.
Now we want to let our community to create plugins. Just to let them make a small animated picture with a bit of Action Script 3.
A plugin is going to be loaded as external .swf file at runtime. And, of course, we would like our users to distribute the plugins on the net.
But, we have a security concern. What if some bad person would take advantage of the indirect access to Win API?
I have made a small test. A child .swf loaded into the program tries to call ExternalInterface methods. It turned out the child.swf was able to do this. So every .swf file loaded into our program will automatically has an access to Win API.
Downloading plugins for our program becomes as dangerous as an .exe file.
Can we forbid ExternalInterface access to the loaded .swf? If not - how would you implement plugin system in AS3 with security in mind?
I would appreciate any tips that can help.