Flash Player security overview

Much of Flash Player security is based on the domain of origin for loaded SWF files, media, and other assets. A SWF file from a specific Internet domain, such as www.example.com, can always access all data from that domain. These assets are put in the same security grouping, known as a security sandbox. (For more information, see Security sandboxes.)

For example, a SWF file can load SWF files, bitmaps, audio, text files, and any other asset from its own domain. Also, cross-scripting between two SWF files from the same domain is always permitted, as long as both files are written using ActionScript 3.0. Cross-scripting is the ability of one SWF file to use ActionScript to access the properties, methods, and objects in another SWF file.

Cross-scripting is not supported between SWF files written using ActionScript 3.0 and those using previous versions of ActionScript; however, these files can communicate by using the LocalConnection class. Also, the ability of a SWF file to cross-script ActionScript 3.0 SWF files from other domains and to load data from other domains is prohibited by default; however, such access can be granted with a call to the Security.allowDomain() method in the loaded SWF file. For more information, see Cross-scripting.

The following basic security rules always apply by default:

• Resources in the same security sandbox can always access each other.

• SWF files in a remote sandbox can never access local files and data.

Flash Player considers the following to be individual domains, and sets up individual security sandboxes for each:

• http://example.com

• http://www.example.com

• http://store.example.com

• https://www.example.com

• http://192.0.34.166

Even if a named domain, such as http://example.com, maps to a specific IP address, such as http://192.0.34.166, Flash Player sets up separate security sandboxes for each.

There are two basic methods that a developer can use to grant a SWF file access to assets from sandboxes other than that of the SWF file:

• The Security.allowDomain() method (see Author (developer) controls)

• The URL policy file (see Website controls (policy files))

In the Flash Player security model, there is a distinction between loading content and extracting or accessing data. Content is defined as media, including visual media Flash Player can display, audio, video, or a SWF file that includes displayed media. Data is defined as something that is accessible only to ActionScript code. Content and data are loaded in different ways.

• Loading content—You can load content using classes such as the Loader, Sound, and NetStream classes.

• Extracting data—You can extract data from loaded media content by using Bitmap objects, the BitmapData.draw() method, the Sound.id3 property, or the SoundMixer.computeSpectrum() method.

• Accessing data—You can access data directly by loading it from an external file (such as an XML file) using classes such as the URLStream, URLLoader, Socket, and XMLSocket classes.

The Flash Player security model defines different rules for loading content and accessing data. In general, there are fewer restrictions on loading content than on accessing data.

In general, content (SWF files, bitmaps, mp3 files, and videos) can be loaded from anywhere, but if the content is from a domain other than that of the loading SWF file, it will be partitioned in a separate security sandbox.

There are a few barriers to loading content:

• By default, local SWF files (those loaded from a non-network address, such as a user’s hard drive) are classified in the local-with-filesystem sandbox. These files cannot load content from the network. For more information, see Local sandboxes.

• Real-Time Messaging Protocol (RTMP) servers can limit access to content. For more information, see Content delivered using RTMP servers.

If the loaded media is an image, audio, or video, its data, such as pixel data and sound data, can be accessed by a SWF file outside its security sandbox only if the domain of that SWF file has been included in a URL policy file at the origin domain of the media. For details, see Accessing loaded media as data.

Other forms of loaded data include text or XML files, which are loaded with a URLLoader object. Again in this case, to access any data from another security sandbox, permission must be granted by means of a URL policy file at the origin domain. For details, see Using URLLoader and URLStream.