User Guide

ManualsBrandsMacromedia ManualsOtherFLEX 2-PROGRAMMING ACTIONSCRIPT 3.0

461

462

463

464

465

466

467

468

469

470

468 Flash Player Security

When you call the load() method of the Loader object, you can specify a context

parameter, which is a LoaderContext object. The LoaderContext class includes three

properties that let you define the context of how the loaded content can be used:

■ checkPolicyFile—Use this property only when loading an image file (not a SWF file).

Specify this for an image file from a domain other than that of the file containing the

Loader object. If you set this property to

true, the Loader checks the origin server for a

cross-domain policy file (see “Website controls (cross-domain policy files)” on page 456).

If the server grants permission to the Loader domain, ActionScript from SWF files in the

Loader domain can access data in the loaded image. In other words, you can use the

Loader.content property to obtain a reference to the Bitmap object that represents the

loaded image, or the

BitmapData.draw() method to access pixels from the loaded image.

■ securityDomain—Use this property only when loading a SWF file (not an image).

Specify this for a SWF file from a domain other than that of the file containing the Loader

object. Only two values are currently supported for the

securityDomain property: null

(the default) and

SecurityDomain.currentDomain. If you specify

SecurityDomain.currentDomain, this requests that the loaded SWF file be imported to

the sandbox of the loading SWF file, meaning that it operates as though it had been

loaded from the loading SWF file’s own server. This is only permitted if a cross-domain

policy file is found on the loaded SWF file’s server, allowing access by the loading SWF

file’s domain. If the required policy file is found, the loader and loadee can freely script

each other once the load begins, since they are in the same sandbox. Note that sandbox

importing can mostly be replaced by performing an ordinary load and then having the

loaded SWF file call the

Security.allowDomain() method. This latter method may be

easier to use, since the loaded SWF file will then be in its own natural sandbox, and thus

able to access resources on its own actual server.

■ applicationDomain—Use this property only when loading a SWF file written in

ActionScript 3.0 (not an image or a SWF file written in ActionScript 1.0 or 2.0). When

loading the file, you can specify that the file be placed into a particular application

domain, rather than the default of being placed in a new application domain that is a

child of the loading SWF file’s application domain. Note that application domains are

subunits of security domains, and thus you can specify a target application domain only if

the SWF file that you are loading is from your own security domain, either because it is

from your own server, or because you have successfully imported it into your security

domain using the

securityDomain property. If you specify an application domain but the

loaded SWF file is part of a different security domain, the domain you specify in

applicationDomain is ignored. For more information, see “ApplicationDomain class”

on page 436.

For details, see “The LoaderContext class” on page 181.