Flash Player 9 and later, Adobe AIR 1.0 and later

If two SWF files written with ActionScript 3.0, or two HTML files running in AIR are served from the same domain—for example, the URL for one SWF file is and the URL for the other is—then code defined in one file can examine and modify variables, objects, properties, methods, and so on in the other, and vice versa. This is called cross-scripting .

If the two files are served from different domains—for example, and—then, by default, Flash Player and AIR do not allow swfA.swf to script swfB.swf, nor swfB.swf to script swfA.swf. A SWF file gives permission to SWF files from other domains by calling Security.allowDomain() . By calling Security.allowDomain("") , swfB.swf gives SWF files from permission to script it.

Cross-scripting is not supported between AVM1 SWF files and AVM2 SWF files. An AVM1 SWF file is one created by using ActionScript 1.0 or ActionScript 2.0. (AVM1 and AVM2 refer to the ActionScript Virtual Machine.) You can, however, use the LocalConnection class to send data between AVM1 and AVM2.

In any cross-domain situation, it is important to be clear about the two parties involved. For the purposes of this discussion, the side that is performing the cross-scripting is called the accessing party (usually the accessing SWF), and the other side is called the party being accessed (usually the SWF being accessed). When siteA.swf scripts siteB.swf, siteA.swf is the accessing party, and siteB.swf is the party being accessed, as the following illustration shows:

Cross-domain permissions that are established with the Security.allowDomain() method are asymmetrical. In the previous example, siteA.swf can script siteB.swf, but siteB.swf cannot script siteA.swf, because siteA.swf has not called the Security.allowDomain() method to give SWF files at permission to script it. You can set up symmetrical permissions by having both SWF files call the Security.allowDomain() method.

In addition to protecting SWF files from cross-domain scripting originated by other SWF files, Flash Player protects SWF files from cross-domain scripting originated by HTML files. HTML-to-SWF scripting can occur with callbacks established through the ExternalInterface.addCallback() method. When HTML-to-SWF scripting crosses domains, the SWF file being accessed must call the Security.allowDomain() method, just as when the accessing party is a SWF file, or the operation will fail. For more information, see Author (developer) controls .

Also, Flash Player provides security controls for SWF-to-HTML scripting. For more information, see Controlling outbound URL access .

// Ethnio survey code removed