User Guide

ManualsBrandsMacromedia ManualsOtherFLASH 8-ACTIONSCRIPT 2.0 LANGUAGE REFERENCE

1051

security (System.security) 1059

Version 6. Cross-domain scripting security is introduced. By default, Flash Player forbids

cross-domain scripting;

System.security.allowDomain() can permit it. To determine

whether two files are in the same domain, Flash Player uses each file's superdomain, which is

the exact host name from the file's URL, minus the first segment, down to a minimum of two

segments. For example, the superdomain of www.mysite.com is mysite.com. This example

would permit SWF files from www.mysite.com and store.mysite.com to script each other

without calling

System.security.allowDomain().

Version 7. Superdomain matching is changed to exact domain matching. Two files are

permitted to script each other only if the host names in their URLs are identical; otherwise, a

call to

System.security.allowDomain() is required. By default, files loaded from non-

HTTPS URLs are no longer permitted to script files loaded from HTTPS URLs, even if the

files are loaded from the exactly the same domain. This restriction helps protect HTTPS files,

because a non-HTTPS file is vulnerable to modification during download, and a maliciously

modified non-HTTPS file could corrupt an HTTPS file, which is otherwise immune to such

tampering.

System.security.allowInsecureDomain() is introduced to allow HTTPS

SWF files that are being accessed to voluntarily disable this restriction, but Macromedia

recommends against using

System.security.allowInsecureDomain().

Version 8. Two major areas of change:

■ Calling System.security.allowDomain() now permits cross-scripting operations only

if the SWF file being accessed is the SWF file that called

System.security.allowDomain(). In other words, a SWF file that calls

System.security.allowDomain() now permits access only to itself. In previous

versions, calling

System.security.allowDomain() permitted cross-scripting operations

where the SWF file being accessed could be any SWF file in the same domain as the SWF

file that called

System.security.allowDomain(). Calling

System.security.allowDomain() previously opened up the entire domain of the

calling SWF file.

■ Support has been added for wildcard values with System.security.allowDomain("*")

and

System.security.allowInsecureDomain("*"). The wildcard (*) value permits

cross-scripting operations where the accessing file is any file at all, loaded from anywhere.

Think of the wildcard as a global permission. Wildcard permissions can be useful in

general, and in particular they are required to enable certain kinds of operations under the

new local file security rules in Flash Player 8. Specifically, for a local SWF file with

network-access permissions to script a SWF file on the Internet, the Internet SWF file

being accessed must call

System.security.allowDomain("*"), reflecting that the origin

of a local SWF file is unknown. (If the Internet SWF file being accessed is loaded from an

HTTPS URL, the Internet SWF file must instead call

System.security.allowInsecureDomain("*").)