Cross-Domain Policy
Macromedia has defined very stringent
policies (called the security
sandbox by Macromedia) for the control and
management of how SWF files can interact with one another and with
executable files on the Web or your hard drive. Most of these
policies are more stringent in Flash Player 7 than in previous
versions (and more stringent than many other web technologies
implement). You may find that some sites that work with Flash Player
6 do not work in Flash Player 7 due to added security restrictions,
as described at http://www.macromedia.com/devnet/mx/flash/articles/fplayer_security.html.
Macromedia's cross-domain policy determines whether
a SWF can load or communicate with other SWFs or content from other
domains. In particular, for Flash Player 7, the default policy is as
follows:
A SWF is not allowed to load another SWF unless it is loaded from
exactly the same domain. A SWF is not allowed to communicate with any other SWF (i.e., using
the LocalConnection class) unless both SWFs come
from exactly the same domain. A SWF is not allowed to load assets from a different domain than the
one from which the SWF is running.
You can modify this default policy to allow SWFs from other domains
to interact with your SWFs:
moock.org's Cross-Domain Policy
File technote (http://moock.org/asdg/technotes/crossDomainPolicyFiles)
discusses the conditions that cause a warning dialog to appear when
playing Flash Player 6-format (and older) SWF files in Flash Player 7
and cause data loading to fail in Flash Player 7-format SWF files. Flash technote Macromedia
Flash Security Sandbox (http://www.macromedia.com/support/flash/ts/documents/security_sandbox.htm)
explains the Flash Player 7 security sandbox. The
sandbox provides a restricted area that
"surrounds" the Flash Player to
restrict access to private data and prevent a SWF from executing
potentially damaging applications. Flash technote 16520 Loading Data Across domains
(http://www.macromedia.com/support/flash/ts/documents/load_xdomain.htm)
explains what operations are allowed and disallowed when attempting
to load assets from a different domain than the one from which the
SWF is running. Macromedia technote 14213 External data not accessible
outside a Macromedia Flash movie's domain
(http://www.macromedia.com/support/flash/ts/documents/loadvars_security.htm)
explains the limitations on loading data, typically via the
LoadVars class, from domains other than the one
hosting the SWF. The LocalConnection.allowDomain( ) event handler
described in Recipe 17.4 ("Accepting Communications
from Other Domains") in the ActionScript
Cookbook allows you to specify other domains from which
SWFs can create local connections to the current SWF. Recipe 15.6 ("Loading Remote Content by
Proxy") in the ActionScript Cookbook
explains how to evade the cross-domain limitations for
loading content by using a proxy server. The System.Security.allowDomain( ) method
described in Recipe 15.2 ("Loading an External SWF
from a Trusting Domain") in the
ActionScript Cookbook allows you to specify
which domains are allowed to load your SWF file. If a Flash movie served via HTTP attempts to access secure HTTPS
content, the operation fails silently by default. Flash MX 2004 adds
a System.security.allowInsecureDomain( ) method,
which allows a SWF published for Flash Player 7 to permit
HTTP-to-HTTPS access. (This is not recommended because it compromises
HTTPS security, but it may be required to permit access to HTTPS
files published for Flash Player 7 or later from HTTP files published
for Flash Player 6.) Users can access the web-based Settings Manager by clicking the
Advanced button on the Privacy tab of the Settings dialog box. Once
at Macromedia's site, the user can configure global
and domain-specific options regarding cross-domain
policies.
|