If two SWF files
written with ActionScript 3.0, or two HTML files running in AIR
are served from the same domain—for example, the URL for one SWF
file is http://www.example.com/swfA.swf and the URL for the other
is http://www.example.com/swfB.swf—then code defined in one file
can examine and modify variables, objects, properties, methods,
and so on in the other, and vice versa. This is called
cross-scripting
.
If the two files are
served from different domains—for example, http://siteA.com/swfA.swf
and http://siteB.com/swfB.swf—then, by default, Flash Player and
AIR do not allow swfA.swf to script swfB.swf, nor swfB.swf to script
swfA.swf. A SWF file gives permission to SWF files from other domains
by calling
Security.allowDomain()
. By calling
Security.allowDomain("siteA.com")
,
swfB.swf gives SWF files from siteA.com permission to script it.
Cross-scripting is not supported between AVM1 SWF files and AVM2
SWF files. An AVM1 SWF file is one created by using ActionScript
1.0 or ActionScript 2.0. (AVM1 and AVM2 refer to the ActionScript
Virtual Machine.) You can, however, use the LocalConnection class
to send data between AVM1 and AVM2.
In any cross-domain situation, it is important to be clear about
the two parties involved. For the purposes of this discussion, the
side that is performing the cross-scripting is called the
accessing party
(usually
the accessing SWF), and the other side is called the
party being accessed
(usually
the SWF being accessed). When siteA.swf scripts siteB.swf, siteA.swf
is the accessing party, and siteB.swf is the party being accessed,
as the following illustration shows:
Cross-domain permissions that are established with the
Security.allowDomain()
method
are asymmetrical. In the previous example, siteA.swf can script
siteB.swf, but siteB.swf cannot script siteA.swf, because siteA.swf
has not called the
Security.allowDomain()
method
to give SWF files at siteB.com permission to script it. You can
set up symmetrical permissions by having both SWF files call the
Security.allowDomain()
method.
In addition to protecting SWF files from
cross-domain scripting originated by other SWF files, Flash Player
protects SWF files from cross-domain scripting originated by HTML
files. HTML-to-SWF scripting can occur with callbacks established through
the
ExternalInterface.addCallback()
method. When
HTML-to-SWF scripting crosses domains, the SWF file being accessed
must call the
Security.allowDomain()
method, just
as when the accessing party is a SWF file, or the operation will
fail. For more information, see
Author (developer) controls
.
Also, Flash Player provides security controls for SWF-to-HTML
scripting. For more information, see
Controlling outbound URL access
.
