About ExternalInterface API security in Flex

Allowing applications built with Flex to call embedded scripts on HTML pages and vice versa is subject to stringent security constraints. By default, scripts on the HTML page can communicate only with ActionScript in an application if the page and the application are in the same domain. You can expand this restriction to include applications outside of the domain.

About the call() method

The success of the call() method depends on the HTML page’s use of the allowScriptAccess parameter. This parameter is not an ActionScript mechanism; it is an HTML parameter. Its value determines whether your application can call JavaScript in the HTML page, and it applies to all functions on the page. The default value of allowScriptAccess only allows communication if the application and the HTML page are in the same domain.

In an HTML wrapper that uses SWFObject 2, you set the value of the allowscriptaccess property on the params object that is passed to the swfobject.embedSWF() method. The following example sets the value of the allowScriptAccess property to sameDomain:
var params = {}; 
params.quality = "high"; 
params.bgcolor = "#ffffff"; 
params.allowscriptaccess = "sameDomain";

The following table describes the valid values of the allowScriptAccess parameter:




The call() method fails.


The call() method succeeds if the calling application is from same domain as the HTML page that loaded the application. This is the default value.


The call() method succeeds, regardless of whether the calling application is in the same domain as the HTML page that loaded the application.

If your HTML wrapper uses the <object> and <embed> tags, you set the value of the allowScriptAccess property on the <object> tag as follows:

<object id='SendComplexDataTypes' classid='clsid:D27CDB6E-AE6D-11cf-96B8-444553540000' allowScriptAccess='sameDomain' height='100%' width='100%'>

On the <embed> tag, set the property as follows:

<embed name='SendComplexDataTypes.mxml.swf' src='SendComplexDataTypes.mxml.swf' allowScriptAccess='sameDomain' height='100%' width='100%' flashvars=''/>

About the addCallback() method

Flex prevents JavaScript methods from calling just any method in your application by requiring that you explicitly make the method callable. The default for all methods is to not be callable from JavaScript. The ExternalInterface API enables a SWF file to expose a specific interface that JavaScript can call.

By default, an HTML page can only communicate with the ActionScript in your application if it originates from the same domain. You allow HTML pages outside of the application’s domain to call methods of your application using the allowDomain() method. For more information, see the ActionScript 3.0 Reference for the Adobe Flash Platform.