Copyright © 2009 Adobe Systems Incorporated. All rights reserved.
Use of this website signifies your agreement to the Terms of Use and Online Privacy Policy (updated 07-08-2008).
Search powered by Google™
Cross-movie scripting occurs when one Flash movie loads another Flash
movie using MovieClipLoader.LoadClip, loadMovie,
or loadMovieNum, and then one of the movies uses ActionScript
to examine or modify variables in the other movie, or calls functions
or methods in the other movie. By default, cross-movie scripting is
only permitted with movies that come from the same domain. Movies are
always allowed to load other movies from anywhere they wish but security
restrictions may prevent those movies from communicating with each other.
Cross-movie scripting also occurs when an HTML page uses JavaScript (or another
scripting language) to script a Flash movie—for example, by calling SetVariable or GetVariable. Flash Player only permits this operation when the HTML page is from
the same domain as the Flash movie it attempts to script.
Flash Player 7 requires that movies must come from exactly the same domain to be able to script one another. In addition, movies that are served over nonsecure protocols, such as HTTP, cannot script movies that are served over HTTPS (the reverse is not true: HTTPS movies may script HTTP movies). The same restrictions apply to HTML pages scripting Flash movies.
These new rules apply only when one or both of the movies are made for Flash Player 7. If both movies are made for Flash Player 6 or earlier, Flash Player 7 uses the old rules. Note that the old rules permit movies from the same superdomain to script each other; they also permit HTTP movies to script HTTPS movies.
When two movies are from different domains, Flash Player
ensures that the two movies have different copies of the ActionScript
global object. The global object is usually implicitly referenced. For
example, all objects in the Flash Player standard library,
such as MovieClip, Array, and so forth, are part of the global object.
The global object also holds global variables created by assigning properties
to _global. Separating global objects between movies from
different domains has occurred since Flash Player 6. However,
Flash Player 7 introduces a new restriction: movies made
for Flash Player 6 or earlier can never share a global object
with movies made for Flash Player 7 or later, even when the
movies are from the same exact domain and protocol. This may have subtle
repercussions for sites that mix movies made for Flash Player
6 and 7.
If you have movies that you will serve from different domains and you want the
movies to be able to script each other, you can grant cross-domain scripting
permission. You do this by using the ActionScript method System.security.allowDomain, which has existed since Flash Player 6 but takes on slightly
different behavior in Flash Player 7.
If you have a movie at http://www.mysite.com/controller.swf that needs to load another movie from http://utility.flashutils.com/helper.swf and call methods defined in helper.swf, Flash Player 7 allows the process as long as you put the following ActionScript in helper.swf:
System.security.allowDomain( "www.mysite.com" );
Ensure that you understand the consequences of calling System.security.allowDomain. The above ActionScript permits any movie from the www.mysite.com domain to script any movie from the utility.flashutils.com domain.
When a movie made for Flash
Player 6 calls System.security.allowDomain and another movie made for Flash
Player 6 or earlier performs cross-movie scripting on that
movie, System.security.allowDomain works with superdomains. For example, with the above ActionScript, any movie
from www.mysite.com, store.mysite.com, and so forth can cross-script any movie from utility.flashutils.com, www.flashutils.com, and so forth. When either the movie calling System.security.allowDomain or the movie performing cross-movie scripting is made for Flash
Player 7 or later, System.security.allowDomain interprets domains exactly. This means that the above ActionScript would only
permit movies from www.mysite.com to access movies from utility.flashutils.com.
When a movie made for Flash
Player 6 calls System.security.allowDomain, this permits non-HTTPS
Flash movies of any version from the permitted domain to access HTTPS movies
in the domain of the granting movie. For example, the above ActionScript
would permit any Flash 7 movie from www.mysite.com to script HTTPS movies in the utility.flashutils.com domain.
In contrast, when a movie made for Flash
Player 7 or later calls System.security.allowDomain, this does not permit
cross-scripting of HTTPS movies by non-HTTPS movies. To grant permission
for movies made in version 7 or later, you must call the new System.security.allowInsecureDomain method. If you have a movie at http://www.mysite.com/controller.swf that needs to load another movie from https://secure.mysite.com/creditcard.swf and call methods in creditcard.swf, Flash Player 7 will permit the
operation as long as you put the following in ActionScript in creditcard.swf:
System.security.allowInsecureDomain( "www.mysite.com" );
We do not recommend this practice, because allowing non-HTTPS
documents to access HTTPS documents can compromise the security offered
by HTTPS. It is preferable to serve over HTTPS all Flash
movies that require scripting access to HTTPS movies. However, if using
HTTPS for all your movies is prohibitively expensive or impractical, System.security.allowInsecureDomain will override the
Flash Player default HTTPS protection.
Copyright © 2009 Adobe Systems Incorporated. All rights reserved.
Use of this website signifies your agreement to the Terms of Use and Online Privacy Policy (updated 07-08-2008).
Search powered by Google™
