What's the difference in terms of security between declarative and programmatic SWFLoaders? In the ff. code, loader1 throws a security exception while loader2 does not.
public someFunction(source:String):void
{
var loader1:SWFLoader = new SWFLoader();
loader1.load(source);
loader2.source = source;
}
...
<mx:SWFLoader id="loader2"/>
I don't think there is any difference in terms of security. Remember, MXML gets converted to ActionScript by the mxmlc compiler before the actual compilation commences, so a declarative SWFLoader (or any other declarative element, for that matter) is just a short-hand way of creating something instead of coding it by hand. You can use the -compiler.keep-generated-actionscript mxmlc argument to see what kind of code gets generated from your MXML.
And the reason you're not seeing a runtime error from the loader2.source = source; line in that example is that since the previous line of code invokes an error, the execution of that function stops there. Try commenting out the line where you call loader1.load(source) and you'll see the next line throw this kind of a SecurityError:
SecurityError: Error #2148: SWF file http://example.com/test.swf cannot access local resource file:///Users/username/Desktop/picture.jpg. Only local-with-filesystem and trusted local SWF files may access local resources.
at flash.display::Loader/_load()
at flash.display::Loader/load()
at mx.controls::SWFLoader/loadContent()
at mx.controls::SWFLoader/load()
at mx.controls::SWFLoader/commitProperties()
at mx.core::UIComponent/validateProperties()
at mx.managers::LayoutManager/validateProperties()
at mx.managers::LayoutManager/doPhasedInstantiation()
at Function/http://adobe.com/AS3/2006/builtin::apply()
at mx.core::UIComponent/callLaterDispatcher2()
at mx.core::UIComponent/callLaterDispatcher()