Flash Player security features 189
For information on how to permit a SWF file served from one domain to access data, objects, or
variables from SWF files that are served from another domain, see “About allowing data access
between cross-domain SWF files” on page 189. For information on how to permit a SWF file
served from a secure (HTTPS) protocol to access data, objects, or variables from SWF files that
are served from insecure protocols, see “About allowing HTTP to HTTPS protocol access
between SWF files” on page 190. For information on how to permit a SWF file served from one
domain to load data (using
loadVariables(), for example) from another domain, see “About
allowing cross-domain data loading” on page 190.
For information about how these security changes affect content authored in Flash MX and
earlier, see “About compatibility with previous Flash Player security models” on page 191.
About allowing data access between cross-domain SWF files
One SWF file can load another SWF file from any location on the Internet. However, in order for
the two SWF files to be able to access each other’s data (variables and objects), the two files must
originate from the same domain. By default, in Flash Player 7 and later, the two domains must
match exactly in order for the two files to share data. However, a SWF file may grant access to
SWF files served from specific domains by calling
LocalConnection.allowDomain or
System.security.allowDomain().
For example, suppose main.swf is served from www.macromedia.com. That SWF file then loads
another SWF file (data.swf) from data.macromedia.com into a movie clip instance (
target_mc).
// In macromedia.swf
target_mc.loadMovie("http://data.macromedia.com/data.swf");
Furthermore, suppose that data.swf defines a method named getData() on its main Timeline.
By default, main.swf cannot call the
getData() method defined in data.swf once that file has
loaded. This is because the two SWF files don’t reside in the same domain. For example, the
following method call in main.swf, once data.swf has loaded, will fail.
// In macromedia.swf, after data.swf has loaded:
target_mc.getData(); // This method call will fail
However, data.swf may grant access to SWF files served from www.macromedia.com by using the
LocalConnection.allowDomain handler or the System.security.allowDomain() method,
depending on the type of access required. The following code, added to data.swf, allows a SWF
file served from www.macromedia.com to access its variables and methods:
// Within data.swf
System.security.allowDomain("www.macromedia.com");
my_lc.allowDomain = function(sendingDomain) {
return(sendingDomain=="www.macromedia.com");
}
Notice that allowDomain permits any SWF file in the allowed domain to script any other SWF
file in the domain permitting the access, unless the SWF file being accessed is hosted on a site
using a secure protocol (HTTPS). In this case, you must use
allowInsecureDomain instead of
allowDomain; see “About allowing HTTP to HTTPS protocol access between SWF files” below.
For more information on domain-name matching, see “Flash Player security features”
on page 188.
To Next Page
Loading...