can I prohibit users from loading swf files by AS3 / Flash Loader.load() and only allow loading images?

Question

I want to have an AS3 app load images from url supplied by the user. But I don't want a malicious user to be able to load an SWF file in place of the image, such as with an altered extension "maliciousSwf.png". Well, not sure how big a security threat that is above and beyond the ability of the hacker to decompile swf, but I think that ideally such behavior should not be allowed.

So, is there any way to prevent this? When people allow users to load images in their Flash apps, do they somehow guard against loading of SWF? Or is this really absolutely no big deal?

Answer 1

You just need to make sure user loaded files are loaded into a separate security domain as your main application. Then their code will not be able to override any of yours. If you want to be extra safe, also put a content mask on the loading area, so that their content can not extend out of its bounding box.