Manualshelf

User Guide

ManualsBrandsMacromedia ManualsOtherFLEX 2-PROGRAMMING ACTIONSCRIPT 3.0
441442443444445446447448449450
450 Flash Player Security
Flash Player Security overview
Much of Flash Player security is based on the domain of origin for loaded SWF files, media,
and other assets. A SWF file from a specific Internet domain, such as www.example.com, can
always access all data from that domain. These assets are put in the same security grouping,
known as a security sandbox. (For more information, see “Security sandboxes” on page 461.)
For example, a SWF file can load SWF files, bitmaps, audio, text files, and any other asset
from its own domain. Also, cross-scripting between two SWF files from the same domain is
always permitted, as long as both files are written using ActionScript 3.0. Cross-scripting is the
ability of one SWF file to use ActionScript to access the properties, methods, and objects in
another SWF file. Cross-scripting is not supported between SWF files written using
ActionScript 3.0 and those using previous versions of ActionScript; however, these files can
communicate by using the LocalConnection class. For more information, see “Cross-
scripting” on page 470.
The following basic security rules always apply by default:
Resources in the same security sandbox can always access each other.
SWF files in a remote sandbox can never access local files and data.
Flash Player considers the following to be individual domains, and sets up individual security
sandboxes for each:
http://example.com
http://www.example.com
http://store.example.com
https://www.example.com
http://192.0.34.166
Even if a named domain, such as http://example.com, maps to a specific IP address, such as
http://192.0.34.166, Flash Player sets up separate security sandboxes for both.
There are two basic methods that a developer can use to grant a SWF file access to assets from
sandboxes other than that of the SWF file:
The Security.allowDomain() method (see Author (developer) controls” on page 460)
The cross-domain policy file (see “Website controls (cross-domain policy files)”
on page 456)
The ability of a SWF file to cross-script ActionScript 3.0 SWF files from other domains and
to load data from other domains is prohibited by default. It can be granted with a call to the
Security.allowDomain() method in the loaded SWF file. For details, see “Cross-scripting”
on page 470.