Author (developer) controls

The main ActionScript API used to grant security privileges is the Security.allowDomain() method, which grant privileges to SWF files in the domains that you specify. In the following example, a SWF file grants access to SWF files served from the www.example.com domain:

Security.allowDomain("www.example.com")

This method grants permissions for the following:

The primary purpose of calling the Security.allowDomain() method is to grant permission for SWF files in an outside domain to script the SWF file calling the Security.allowDomain() method. For more information, see Cross-scripting.

Specifying an IP address as a parameter to the Security.allowDomain() method does not permit access by all parties that originate at the specified IP address. Instead, it permits access only by a party that contains the specified IP address as its URL, rather than a domain name that maps to that IP address. For example, if the domain name www.example.com maps to the IP address 192.0.34.166, a call to Security.allowDomain("192.0.34.166") does not grant access to www.example.com.

You can pass the "*" wildcard to the Security.allowDomain() method to allow access from all domains. Because it grants permission for SWF files from all domains to script the calling SWF file, use the "*" wildcard with care.

ActionScript includes a second permission API, called Security.allowInsecureDomain(). This method does the same thing as the Security.allowDomain() method, except that, when called from a SWF file served by a secure HTTPS connection, it additionally permits access to the calling SWF file by other SWF files that are served from an insecure protocol, such as HTTP. However, it is not a good security practice to allow scripting between files from a secure protocol (HTTPS) and those from insecure protocols (such as HTTP); doing so can open secure content to snooping and spoofing attacks. Here is how such attacks can work: since the Security.allowInsecureDomain() method allows access to your secure HTTPS data by SWF files served over HTTP connections, an attacker interposed between your HTTP server and your users could replace your HTTP SWF file with one of their own, which can then access your HTTPS data.

Another important security-related method is the Security.loadPolicyFile() method, which causes Flash Player to check for a policy file at a nonstandard location. For more information, see Website controls (policy files).