Flash CS3 Documentation

Learning ActionScript 2.0 in Adobe Flash > Understanding Security > About compatibility with previous Flash Player security models

About compatibility with previous Flash Player security models

As a result of the security feature changes in Flash Player 7, content that runs as expected in Flash Player 6 or earlier might not run as expected in later versions of Flash Player. For example, in Flash Player 6, a SWF file that resides in www.adobe.com could read data on a server located at data.adobe.com; that is, Flash Player 6 allowed a SWF file from one domain to load data from a similar domain.

In Flash Player 7 and later, if a version 6 (or earlier) SWF file attempts to load data from a server that resides in another domain, and that server doesn't provide a policy file that allows reading from that SWF file's domain, the Flash Player Settings dialog box appears. The dialog box asks the user to allow or deny the cross-domain data access.

If the user clicks Allow, the SWF file can access the requested data; if the user clicks Deny, the SWF file cannot access the requested data.

To prevent this dialog box from appearing, you should create a security policy file on the server providing the data. For more information, see Allowing cross-domain data loading.

Flash Player 7 and later do not allow cross-domain access without a security policy file.

Flash Player 8 and later changed the way it handles System.security.allowDomain. A Flash SWF file (Flash 8 and later) that calls System.security.allowDomain with any argument, or any other SWF file that uses the wildcard (*) value, permits access only to itself. There is now support for a wildcard (*) value, for example: System.security.allowDomain("*") and System.security.allowInsecureDomain("*"). If a SWF file of version 7 or earlier calls System.security.allowDomain or System.security.allowInsecureDomain with an argument other than wildcard (*), this will affect all SWF files of version 7 or lower in the calling SWF file's domain, as it did in Flash Player 7. However, this kind of call does not affect any Flash Player 8 (or later) SWF files in the calling SWF file's domain. This helps minimize legacy content breaking in Flash Player.

For more information, see Restricting networking APIs, allowDomain (security.allowDomain method), and allowInsecureDomain (security.allowInsecureDomain method).

Flash Player 8 and later does not allow local SWF files to communicate with the Internet without a specific configuration on your computer. Suppose you have legacy content that was published before these restrictions were in effect. If that content tries to communicate with the network or local file system, or both, Flash Player stops the operation, and you must explicitly provide permission for the application to work properly. For more information, see About local file security and Flash Player

Flash CS3