User Guide

472 Flash Player Security

In addition to protecting SWF files from cross-domain scripting originated by other SWF

files, Flash Player protects SWF files from cross-domain scripting originated by HTML files.

HTML-to-SWF scripting can occur with callbacks established through the

ExternalInterface.addCallback() method. When HTML-to-SWF scripting crosses

domains, the SWF file being accessed must call the

Security.allowDomain() method, just

as when the accessing party is a SWF file, or the operation will fail. For more information, see

“Author (developer) controls” on page 460.

Also, Flash Player provides security controls for SWF-to-HTML scripting. For more

information, see “Controlling access to scripts in a host web page” on page 481.

Stage security

Some properties and methods of the Stage object are available to any sprite or movie clip on

the display list.

However, the Stage object is said to have an owner: the first SWF file loaded. By default, the

following properties and methods of the Stage object are available only to SWF files in the

same security sandbox as the Stage owner:

In order for a SWF file in a sandbox other than that of the Stage owner to access these

properties and methods, the Stage owner SWF file must call the

Security.allowDomain()

method to permit the domain of the external sandbox. For more information, see “Author

(developer) controls” on page 460.

The

frameRate property is a special case—any SWF file can read the frameRate property.

However, only those in the Stage owner’s security sandbox (or those granted permission by a

call to the

Security.allowDomain() method) can change the property.

Properties

Methods

align showDefaultContextMenu addChild()

displayState stageFocusRect addChildAt()

frameRate stageHeight addEventListener()

height stageWidth dispatchEvent()

mouseChildren tabChildren hasEventListener()

numChildren textSnapshot setChildIndex()

quality width willTrigger()

scaleMode