Allowing data access between cross-domain SWF files -- Flash CS3

For two SWF files to access each other's data (variables and objects), the two files must originate from the same domain. By default, in Flash Player 7 and later, the two domains must match exactly for the two files to share data. However, a SWF file can grant access to SWF files served from specific domains by calling LocalConnection.allowDomain or System.security.allowDomain().

System.security.allowDomain() lets SWF files and HTML files in specified domains access objects and variables in the SWF file that contains the allowDomain() call.

If two SWF files are served from the same domain--for example, http://adobe.com/movieA.swf and http://adobe.com/movieB.swf--then movieA.swf can examine and modify variables, objects, properties, methods, and so on in movieB.swf, and movieB can do the same for movieA. This is called cross-movie scripting, or cross-scripting.

If two SWF files are served from different domains--for example, http://adobe.com/movieA.swf and http://helpexamples.com/movieB.swf--then, by default, Flash Player does not allow movieA.swf to script movieB.swf, nor movieB to script movieA. If you call System.security.allowDomain("adobe.com"), movieB.swf gives movieA.swf permission to script movieB.swf. A SWF file gives SWF files from other domains permission to script it by calling System.security.allowDomain(). This is called cross-domain scripting.

For further information on System.security.allowDomain(), cross-scripting, and cross-domain scripting, see allowDomain (security.allowDomain method) in the ActionScript 2.0 Language Reference.

For example, suppose main.swf is served from www.adobe.com. That SWF file then loads another SWF file (data.swf) from data.adobe.com into a movie clip instance that's created dynamically using createEmptyMovieClip().

// In adobe.swf
this.createEmptyMovieClip("target_mc", this.getNextHighestDepth());
target_mc.loadMovie("http://data.adobe.com/data.swf");

Suppose that data.swf defines a method named getData() on its main Timeline. By default, main.swf cannot call the getData() method defined in data.swf after that file has loaded because the two SWF files do not reside in the same domain. For example, the following method call in main.swf, after data.swf has loaded, fails:

// In adobe.swf, after data.swf has loaded:
target_mc.getData(); // This method call will fail

However, data.swf can grant access to SWF files served from www.adobe.com by using the LocalConnection.allowDomain handler and the System.security.allowDomain() method, depending on the type of access required. The following code, added to data.swf, allows a SWF file served from www.adobe.com to access its variables and methods:

// Within data.swf
this._lockroot = true;
System.security.allowDomain("www.adobe.com");
var my_lc:LocalConnection = new LocalConnection();
my_lc.allowDomain = function(sendingDomain:String):Boolean {
    return (sendingDomain == "www.adobe.com");
};
function getData():Void {
    var timestamp:Date = new Date();
    output_txt.text += "data.swf:" + timestamp.toString() + "\n\n";
}
output_txt.text = "**INIT**:\n\n";

Now the getData function in the loaded SWF file can be called by the adobe.swf file. Notice that allowDomain permits any SWF file in the allowed domain to script any other SWF file in the domain permitting the access, unless the SWF file being accessed is hosted on a site using a secure protocol (HTTPS).