Specifications
CHAPTER 3
48
By default, a SWF file served over an unsecure protocol, such as HTTP, cannot access other documents served
over the secure HTTPS protocol, even when those documents come from the same domain. As a result, if you
loaded the SWF file over HTTP but want to connect to the service through HTTPS, you must add
secure="false" in the crossdomain.xml file on the services’s server, as the following example shows:
<cross-domain-policy>
<allow-access-from domain="*.mydomain.com" secure="false"/>
</cross-domain-policy>
If you loaded the SWF file over HTTPS, you do not have to make any changes.
Writing secure Flex applications
When you code a Flex application, keep the following topics in mind to ensure that the application you write is as
secure as possible.
MXML tags with security restrictions
Some MXML tags trigger operations that require security settings. Operations that trigger security checks
include:
• Referencing a URL that is outside the exact domain of the application that makes a request.
• Referencing an HTTPS URL when the application that makes the request is not served over HTTPS.
• Referencing a resource that is in a different sandbox.
In these cases, access rights must be granted through one of the permission-granting mechanisms such as the
allowDomain() method or a crossdomain.xml file.
MXML tags that can trigger security checks include:
• Any class that extends the Channel class.
• RPC-related tags that use channels such as <mx:WebService>, <mx:RemoteObject>, and
<mx:HTTPService>.
• Messaging tags such as <mx:Producer> and <mx:Consumer>.
• The <mx:DataService> tag.
• Tags that load SWF files such as <mx:SWFLoader>.
In addition to these tags and their underlying classes, many Flash classes trigger security checks including Exter-
nalInterface, Loader, NetStream, SoundMixer, URLLoader, and URLRequest.