Allowing HTTP to HTTPS protocol access between SWF files

In addition to the exact-domain matching rules, you must explicitly permit files hosted at sites using a secure protocol (HTTPS) to be accessed by files hosted at sites using an insecure protocol. Depending on whether the called file is published for Flash Player 6 or later, you must implement either one of the allowDomain statements (see Cross-domain and subdomain access between SWF files), or use the LocalConnection.allowInsecure Domain or System.security.allowInsecureDomain() statements.

For example, if the SWF file at https://www.adobe.com/data.swf must allow access by a SWF file at http://www.adobe.com, the following code added to data.swf allows this access:

// Within data.swf
System.security.allowInsecureDomain("www.adobe.com");
my_lc.allowInsecureDomain = function(sendingDomain:String):Boolean {
    return (sendingDomain == "www.adobe.com");
};

WARNING

Implementing an allowInsecureDomain() statement compromises the security offered by the HTTPS protocol. You should make these changes only if you can't reorganize your site so that all SWF files are served from the HTTPS protocol.

The following code shows an example of the changes you might have to make:

// Commands in a Flash Player 6 SWF file at https://www.adobe.com 
// to allow access by Flash Player 7 SWF files that are hosted 
// at http://www.adobe.com or at http://www.helpexamples.com
System.security.allowDomain("helpexamples.com");
my_lc.allowDomain = function(sendingDomain) {    
    return(sendingDomain=="helpexamples.com");
}
// Corresponding commands in a Flash Player 7 SWF file
// to allow access by Flash Player 7 SWF files that are hosted 
// at http://www.adobe.com or at http://www.helpexamples.com
System.security.allowInsecureDomain("www.adobe.com", "www.helpexamples.com");
my_lc.allowInsecureDomain = function(sendingDomain) {    
    return(sendingDomain=="www.adobe.com" ||
        sendingDomain=="www.helpexamples.com");
}

You might also have to add statements such as these to your files if you aren't currently using them. A modification might be necessary even if both files are in the same domain (for example, a file in http://www.adobe.com is calling a file in https://www.adobe.com).

To summarize, you might have to modify your files to add or change statements if you publish files for Flash Player 7 or later that meet the following conditions:

You implemented cross-SWF file-scripting (using loadMovie(), MovieClip.loadMovie(), MovieClipLoader.LoadClip(), or Local Connection objects).

The calling file is not hosted using an HTTPS protocol, and the called file is HTTPS.

You must make the following changes:

If the called file is published for Flash Player 7, include System.security.allowInsecureDomain or LocalConnection.allowInsecureDomain in the called file, using exact domain-name matching, as shown in the code examples earlier in this section.

If the called file is published for Flash Player 6 or earlier, and both the calling and called files are in same domain (for example, a file in http://www.adobe.com is calling a file in https://www.adobe.com), no modification is needed.

If the called file is published for Flash Player 6, the files are not in same domain, and you don't want to port the called file to Flash Player 7, modify the called file to add or change a System.security.allowDomain or LocalConnection.allowDomain statement, using exact domain-name matching, as shown in the code examples earlier in this section.

If the called file is published for Flash Player 6 and you want to port the called file to Flash Player 7, include System.security.allowInsecureDomain or LocalConnection.allowInsecureDomain in the called file, using exact domain-name matching, as shown in the code examples earlier in this section.

If the called file is published for Flash Player 5 or earlier, and both files are not in the same domain, you can do one of two things. You can either port the called file to Flash Player 6 and add or change a System.security.allowDomain statement, using exact domain-name matching, as shown in the code examples earlier in this section, or you can port the called file to Flash Player 7, and include a System.security.allowInsecureDomain statement in the called file, using exact domain-name matching, as shown in the code examples earlier in this section.

Flash CS3