Flash CS4 Resources
Flash Player security overview
Much of Flash Player security is based on the domain of origin for loaded SWF files, media, and other assets. A SWF file from a specific Internet domain, such as www.example.com, can always access all data from that domain. These assets are put in the same security grouping, known as a security sandbox. (For more information, see Security sandboxes.)
For example, a SWF file can load SWF files, bitmaps, audio, text files, and any other asset from its own domain. Also, cross-scripting between two SWF files from the same domain is always permitted, as long as both files are written using ActionScript 3.0. Cross-scripting is the ability of one SWF file to use ActionScript to access the properties, methods, and objects in another SWF file.
Cross-scripting is not supported between SWF files written using ActionScript 3.0 and those using previous versions of ActionScript; however, these files can communicate by using the LocalConnection class. Also, the ability of a SWF file to cross-script ActionScript 3.0 SWF files from other domains and to load data from other domains is prohibited by default; however, such access can be granted with a call to the Security.allowDomain() method in the loaded SWF file. For more information, see Cross-scripting.
The following basic security rules always apply by default:
Flash Player considers the following to be individual domains, and sets up individual security sandboxes for each:
Even if a named domain, such as http://example.com, maps to a specific IP address, such as http://126.96.36.199, Flash Player sets up separate security sandboxes for each.
There are two basic methods that a developer can use to grant a SWF file access to assets from sandboxes other than that of the SWF file:
In the Flash Player security model, there is a distinction between loading content and extracting or accessing data. Content is defined as media, including visual media Flash Player can display, audio, video, or a SWF file that includes displayed media. Data is defined as something that is accessible only to ActionScript code. Content and data are loaded in different ways.
The Flash Player security model defines different rules for loading content and accessing data. In general, there are fewer restrictions on loading content than on accessing data.
In general, content (SWF files, bitmaps, mp3 files, and videos) can be loaded from anywhere, but if the content is from a domain other than that of the loading SWF file, it will be partitioned in a separate security sandbox.
There are a few barriers to loading content:
If the loaded media is an image, audio, or video, its data, such as pixel data and sound data, can be accessed by a SWF file outside its security sandbox only if the domain of that SWF file has been included in a URL policy file at the origin domain of the media. For details, see Accessing loaded media as data.
Other forms of loaded data include text or XML files, which are loaded with a URLLoader object. Again in this case, to access any data from another security sandbox, permission must be granted by means of a URL policy file at the origin domain. For details, see Using URLLoader and URLStream.