of security model used by the Flash Player and AIR runtimes is based
on the domain of origin for loaded SWF files, HTML, media, and other
assets. Executable code in a file from a specific Internet domain,
such as www.example.com, can always access all data from that domain.
These assets are put in the same security grouping, known as a
(For more information, see
For example, ActionScript code in a SWF file can load SWF files,
bitmaps, audio, text files, and any other asset from its own domain.
Also, cross-scripting between two SWF files from the same domain
is always permitted, as long as both files are written using ActionScript
is the ability of code in one file to access
the properties, methods, and objects defined by the code in another
Cross-scripting is not supported between SWF files written using
ActionScript 3.0 and those using previous versions of ActionScript;
however, these files can communicate by using the LocalConnection
class. Also, the ability of a SWF file to cross-script ActionScript
3.0 SWF files from other domains and to load data from other domains
is prohibited by default; however, such access can be granted with a
call to the
method in the
loaded SWF file. For more information, see
The following basic security rules always apply by default:
The Flash Player and AIR runtimes consider the following to be
individual domains, and set up individual security sandboxes for
Even if a named domain, such as http://example.com, maps to a
specific IP address, such as http://184.108.40.206, the runtimes set
up separate security sandboxes for each.
There are two basic methods that a developer can use to grant
a SWF file access to assets from sandboxes other than that of the
In the Flash Player and AIR runtime security models, there is
a distinction between loading content and extracting or accessing
is defined as media, including visual media
the runtimes can display, audio, video, or a SWF file or HTML that
includes displayed media.
is defined as something that
is accessible only to code. Content and data are loaded in different
Loading content—You can load content using classes such
as the Loader, Sound, and NetStream classes; through MXML tags when
using Flex; or through HTML tags in an AIR application.
Extracting data—You can extract data from loaded media content
by using Bitmap objects, the
property, or the
method is available in Flash
Player 11.3 and higher; AIR 3.3 and higher.
Accessing data—You can access data directly by loading it
from an external file (such as an XML file) using classes such as
the URLStream, URLLoader, FileReference, Socket, and XMLSocket classes.
AIR provides additional classes for loading data, such as FileStream,
The Flash Player security model defines different rules for loading
content and accessing data. In general, there are fewer restrictions
on loading content than on accessing data.
In general, content (SWF files, bitmaps, mp3 files, and videos)
can be loaded from anywhere, but if the content is from a domain
other than that of the loading code or content, it will be partitioned
in a separate security sandbox.
There are a few barriers to loading content:
By default, local SWF files (those loaded from a non-network
address, such as a user’s hard drive) are classified in the local-with-filesystem
sandbox. These files cannot load content from the network. For more
Real-Time Messaging Protocol (RTMP) servers can limit access
to content. For more information, see
Content delivered using RTMP servers
If the loaded media is an image, audio, or video, its data, such
as pixel data and sound data, can be accessed by a SWF file outside
its security sandbox only if the domain of that SWF file has been
included in a URL policy file at the origin domain of the media.
For details, see
Accessing loaded media as data
Other forms of loaded data include text or XML files, which are
loaded with a URLLoader object. Again in this case, to access any
data from another security sandbox, permission must be granted by
means of a URL policy file at the origin domain. For details, see
Using URLLoader and URLStream
Policy files are never required in order for code executing
in the AIR application sandbox to load remote content or data.