User Guide
482 Flash Player Security
Set this parameter in the HTML code for the web page that hosts a SWF file. You set the
parameter in the
PARAM or EMBED tag.
The AllowScriptAccess parameter can have one of three possible values: "always",
"sameDomain", or "never":
■ When AllowScriptAccess is "sameDomain", outbound scripting is allowed only if the
SWF file and the web page are in the same domain. This is the default for AVM2 content.
■ When AllowScriptAccess is "never", outbound scripting always fails.
■ When AllowScriptAccess is "always", outbound scripting always succeeds.
If the
AllowScriptAccess parameter is not specified for a SWF file in an HTML page, it
defaults to
"sameDomain" for AVM2 content.
Here is an example of setting the
AllowScriptAccess tag in an HTML page:
<object id='MyMovie.swf' classid='clsid:D27CDB6E-AE6D-11cf-96B8-
444553540000' codebase='http://download.adobe.com/pub/shockwave/cabs/
flash/swflash.cab#version=9,0,0,0' height='100%' width='100%'>
<param name='AllowScriptAccess' value='never'/>
<param name='src' value=''MyMovie.swf'/>
<embed name='MyMovie.swf' pluginspage='http://www.adobe.com/go/
getflashplayer' src='MyMovie.swf' height='100%' width='100%'
AllowScriptAccess='never'/>
</object>
The AllowScriptAccess parameter can prevent a SWF file hosted from one domain from
accessing a script in an HTML page that comes from another domain. Using
AllowScriptAccess="never" for all SWF files hosted from another domain can ensure the
security of scripts located in an HTML page.
For more information, see the following entries in the ActionScript 3.0 Language Reference:
■ The flash.system.fscommand() function
■ The flash.net.navigateToURL() function
■ The call() method of the ExternalInterface class