User Guide

ManualsBrandsMacromedia ManualsOtherFLEX 2-PROGRAMMING ACTIONSCRIPT 3.0

471

472

473

474

475

476

477

478

479

480

480 Flash Player Security

An alternative way for a SWF file to access classes in loaded SWF files from a different security

sandbox is to have the loaded SWF file call the

Security.allowDomain() method to grant

access to the domain of the calling SWF file. You can add the call to the

Security.allowDomain() method to the constructor method of the main class of the loaded

SWF file, and then have the loading SWF file add an event listener to respond to the

init

event dispatched by the

contentLoaderInfo property of the Loader object. When this event

is dispatched, the loaded SWF file has called the

Security.allowDomain() method in the

constructor method, and classes in the loaded SWF file are available to the loading SWF file.

The loading SWF file can retrieve classes from the loaded SWF file by calling

Loader.contentLoaderInfo.applicationDomain.getDefinition().

Working with legacy content

In Flash Player 6, the domain that is used for certain Flash Player settings is based on the

trailing portion of the domain of the SWF file. These settings include settings for camera and

microphone permissions, storage quotas, and storage of persistent shared objects.

If the domain of a SWF file includes more than two segments, such as www.example.com, the

first segment of the domain (www) is removed, and the remaining portion of the domain is

used. So, in Flash Player 6, www.example.com and store.example.com both use example.com

as the domain for these settings. Similarly, www.example.co.uk and store.example.co.uk both

use example.co.uk as the domain for these settings. This can lead to problems in which SWF

files from unrelated domains, such as example1.co.uk and example2.co.uk, have access to the

same shared objects.

In Flash Player 7 and later, player settings are chosen by default according to a SWF file’s exact

domain. For example, a SWF file from www.example.com would use the player settings for

www.example.com. A SWF file from store.example.com would use the separate player settings

for store.example.com.

In a SWF file written using ActionScript 3.0, when

Security.exactSettings is set to true

(the default), Flash Player uses exact domains for player settings. When it is set to

false,

Flash Player uses the domain settings used in Flash Player 6. If you change

exactSettings

from its default value, you must do so before any events occur that require Flash Player to

choose player settings—for example, using a camera or microphone, or retrieving a persistent

shared object.

If you published a version 6 SWF file and created persistent shared objects from it, to retrieve

those persistent shared objects from a SWF that uses ActionScript 3.0, you must set

Security.exactSettings to false before calling SharedObject.getLocal().