About domains, cross-domain security, and SWF files 697
The following issue affects only SWF files published for Flash Player 7. When the receiver is
HTTPS, and the sender is a local SWF file,
allowDomain() is called, even though
allowInsecureDomain() should be called. However, in Flash Player 8, when an HTTPS
LocalConnection receiver is Flash Player 8, and the sender is a local file,
allowInsecureDomain() is called.
Files that run in Flash Player 8 are subject to changes from how they run in Flash Player 7.
Calling
System.security.allowDomain permits cross-scripting operations only where the
SWF file being accessed is the one that called
System.security.allowDomain. In other
words, a SWF file that calls
System.security.allowDomain now permits access only to
itself. In previous versions, calling
System.security.allowDomain permitted cross-scripting
operations where the SWF file being accessed could be any SWF file in the same domain as
the one that called
System.security.allowDomain. Doing so opened up the entire domain
of the calling SWF file.
Support has been added for the wildcard (
*) value to System.security.allowDomain("*")
and
System.security.allowInsecureDomain("*"). The wildcard (*) value permits cross-
scripting operations where the accessing file is any file and can be loaded from any location
(such as global permission). Wildcard permissions can be useful, but they must adhere to the
new local file security rules in Flash Player 8. Specifically, local files do not come from a
domain, so the wildcard value must be used. However, use caution when using the wildcard
value because any domain has access to your file. For more information, see
allowInsecureDomain (security.allowInsecureDomain method).
You might encounter a situation when you load a child SWF file from a different domain
than the one calling it. You might want to allow that file to script the parent SWF file, but
you don’t know the final domain from which the child SWF file will come. This situation can
happen, for example, when you use load-balancing redirects or third-party servers. In this
situation, you can use the
MovieClip._url property as an argument to this method. For
example, if you load a SWF file into
my_mc, you can call
System.security.allowDomain(my_mc._url). If you do this, you must wait until the SWF
file in
my_mc begins loading because the _url property does not have its final, correct value
yet. To determine when a child SWF file has started to load, use
MovieClipLoader.onLoadStart.
To Next Page
Loading...