Copyright © 2008 Adobe Systems Incorporated. All rights reserved.
Use of this website signifies your agreement to the Terms of Use and Online Privacy Policy (updated 07-08-2008).
Search powered by Powered by Google
There are two areas where a Flash movie can retrieve other documents from a URL:
MovieClipLoader.LoadClip, loadMovie, or loadMovieNum.loadVariables script, or connecting to
an XMLSocket server. Flash Player enforces certain cross-domain restrictions for these operations. All cross-domain restrictions compare the URL of the Flash movie making the request with the URL it requests. If the two URLs come from the same domain, Flash Player permits the operation. With movie loading, Flash Player always permits the actual loadMovie operation, but if the URLs of the loading and loaded movie do not come from the same domain, then it does not allow the two movies to interact with each other's ActionScript variables and methods. Data loading operations work differently; if the domains do not match, Flash Player does not permit the operation at all.
Flash Player 6 compared domains using superdomains. The superdomain of a domain is a similar domain that has the first component removed. For example, the superdomain of www.mysite.com is mysite.com.
Flash Player 6 considered the domains www.mysite.com and store.mysite.com to be a match. A movie served from http://www.mysite.com/myMovie.swf could use ActionScript to interact with another movie loaded with the loadMovie method from http://store.mysite.com/anotherMovie.swf,
or download an XML file from http://store.mysite.com/myData.xml.
In Flash Player 7, however, www.mysite.com and store.mysite.com are not a match. The only domains that match are those that are identical—for example, www.mysite.com and www.mysite.com. The earlier examples are no longer permitted. You can modify the default Flash Player security rules using permission mechanisms, which this article explains in further detail.
Note that web browsers have required exact domain matching for some time.
In Flash Player 6, domains were the only aspects of URLs that the
Flash Player examined. This meant that, for example, a movie served
from http://www.mysite.com/myHttpMovie.swf could use ActionScript to interact with another movie loaded with loadMovie from https://www.mysite.com/mySecureMovie.swf, or download an XML file from https://www.mysite.com/mySecureData.xml.
In Flash Player 7, a movie served over a nonsecure protocol, such as HTTP, cannot access other documents served over the secure HTTPS protocol, even when those documents come from the same domain. This means that the above examples are no longer permitted by default.
You can modify the default Flash Player security rules by using permission mechanisms, which this article explains in further detail. However, we recommend against overriding the default HTTPS protection because doing so weakens the security offered by HTTPS.
HTTPS restriction is asymmetrical; movies served over HTTPS can access other documents served over insecure protocols.
Note that web browsers have protected HTTPS documents in the same way for some time.
Copyright © 2008 Adobe Systems Incorporated. All rights reserved.
Use of this website signifies your agreement to the Terms of Use and Online Privacy Policy (updated 07-08-2008).
Search powered by Powered by Google
