User Guide

ManualsBrandsMacromedia ManualsOtherFLASH MX 2004-USING ACTIONSCRIPT IN FLASH

281

282

283

284

285

286

287

288

289

290

Flash Player security features 289

For more information, see the following topics:

• “About allowing data access between cross-domain SWF files” on page 289

• “About allowing HTTP to HTTPS protocol access between SWF files” on page 290

• “About allowing cross-domain data loading” on page 290

• “About custom policy file locations” on page 292

• “About XMLSocket policy files” on page 293

• “About compatibility with previous Flash Player security models” on page 294.

About allowing data access between cross-domain SWF files

One SWF file can load another SWF file from any location on the Internet. However, for the two

SWF files to access each other’s data (variables and objects), the two files must originate from the

same domain. By default, in Flash Player 7 and later, the two domains must match exactly for the

two files to share data. However, a SWF file can grant access to SWF files served from specific

domains by calling

LocalConnection.allowDomain or System.security.allowDomain().

For example, suppose main.swf is served from www.macromedia.com. That SWF file then loads

another SWF file (data.swf) from data.macromedia.com into a movie clip instance that’s created

dynamically using

createEmptyMovieClip.

// In macromedia.swf

this.createEmptyMovieClip("target_mc", this.getNextHighestDepth());

target_mc.loadMovie("http://data.macromedia.com/data.swf");

Now suppose that data.swf defines a method named getData() on its main Timeline. By default,

main.swf cannot call the

getData() method defined in data.swf after that file has loaded because

the two SWF files do not reside in the same domain. For example, the following method call in

main.swf, after data.swf has loaded, will fail:

// In macromedia.swf, after data.swf has loaded:

target_mc.getData(); // This method call will fail

However, data.swf can grant access to SWF files served from www.macromedia.com by using the

LocalConnection.allowDomain handler and the System.security.allowDomain() method,

depending on the type of access required. The following code, added to data.swf, allows a SWF

file served from www.macromedia.com to access its variables and methods:

// Within data.swf

this._lockroot = true;

System.security.allowDomain("www.macromedia.com");

var my_lc:LocalConnection = new LocalConnection();

my_lc.allowDomain = function(sendingDomain) {

return (sendingDomain == "www.macromedia.com");

};

function getData() {

var timestamp:Date = new Date();

output_txt.text += "data.swf:"+timestamp.toString()+"\n\n";

}

output_txt.text = "**INIT**:\n\n";