Why no Sandbox Violation running from Bin?

Ever noticed that once you copy your html/swf files from the bin folder in your flex project to another file location, or just move the bin folder itself, your flex application no longer happily makes the remote data calls that only worked a minute ago in Flexbuilder? Well we ran into an interesting issue, when trying to push custom HTTP headers to a server. It worked fine while debugging in flexbuilder, and even double clicking on the html file in the bin folder worked. Yet the minute I moved the bin folder to say "program files\my proggy", the application would give a nasty error like this:

Error #2170: Security sandbox violation: file:///program files/my proggy/APITest.swf cannot send HTTP headers to http://myservice/DIRTNAPPY/.

I did some research, and there's actually tons of information out there that deals with this issue. First and foremost this article http://www.adobetutorialz.com/articles/1785/1/Local-Sandboxes does a very good job of explaining exactly what is happening behind the scenes.

Essentially Flexbuilder tells Flash that it should trust the bin folder... if you do a search on your development machine for the file flexbuilder_plugin.cfg, you should find it in a folder called FlashPlayerTrust in roughly the same area you normally find SharedObject files. If you open this file in a text editor, you should see pretty much every path to every bin folder for every flex project you have ever worked on. And suddenly everything gets so much clearer.

So I created a new file and placed it next to this flexbuilder_plugin.cfg file, and called it MyProggy.cfg. Flash is configured to read in all files in this folder and parse all paths out of it, and any applications run from these paths will be considered "localTrusted" and will act as they would when run from Flexbuilder. Inside this text file I put one line: "c:\program files\my proggy" and saved it. I then had to restart Firefox for the change to take effect. I also had added a text label to my application and bound the text property to {Security.sandboxType}.

Launching the app again from c:\program files\my proggy now showed the app running in localTrusted mode, and sure enough all my data calls worked just fine. Keep in mind, that all this only works when you intend to host your application on users machines, rather than on a webserver. It's simple enough to add the necessary text file when your application is being installed.

I should add that as a back up plan, you might want to consider trapping the Sandbox Error and then communicating to the user that they'll need to right click on the application, select Settings / click Advanced / then click on Global Security Settings Panel and add the appropriate path to the list of "always trust files in these locations". (still easier than making them go and create this text file themselves and saving it to the right location).