Table of Contents
Advertisement
Author (developer) controls
The main ActionScript API used to grant security privileges is the
method, which grant privileges to SWF files in the domains that you specify. In the following
example, a SWF file grants access to SWF files served from the www.example.com domain:
Security.allowDomain("www.example.com")
This method grants permissions for the following:
Cross-scripting between SWF files (see
■
Display list access (see
■
Event detection (see
■
Full access to properties and methods of the Stage object (see
■
on page
472)
The primary purpose of calling the
for SWF files in an outside domain to script the SWF file calling the
Security.allowDomain()
on page
470.
Specifying an IP address as a parameter to the
permit access by all parties that originate at the specified IP address. Instead, it permits access
only by a party that contains the specified IP address as its URL, rather than a domain name
that maps to that IP address. For example, if the domain name www.example.com maps to
the IP address 192.0.34.166, a call to
grant access to www.example.com.
You can pass the
"*"
all domains. Because it grants permission for SWF files from all domains to script the calling
SWF file, use the
"*"
ActionScript includes a second permission API, called
This method does the same thing as the
when called from a SWF file served by a secure HTTPS connection, it additionally permits
access to the calling SWF file by other SWF files that are served from an insecure protocol,
such as HTTP. However, it is not a good security practice to allow scripting between files from
a secure protocol (HTTPS) and those from insecure protocols (such as HTTP); doing so can
open secure content to snooping and spoofing attacks. Here is how such attacks can work:
since the
Security.allowInsecureDomain()
data by SWF files served over HTTP connections, an attacker interposed between your
HTTP server and your users could replace your HTTP SWF file with one of their own,
which can then access your HTTPS data.
460
Flash Player Security
"Traversing the display list" on page
"Event security" on page
Security.allowDomain()
method. For more information, see
Security.allowDomain("192.0.34.166")
wildcard to the
Security.allowDomain()
wildcard with care.
Security.allowDomain()
"Cross-scripting" on page
473)
473)
method is to grant permission
Security.allowDomain()
Security.allowInsecureDomain()
method allows access to your secure HTTPS
Security.allowDomain()
470)
"Stage security"
"Cross-scripting"
method does not
does not
method to allow access from
method, except that,
.
Advertisement
Chapters
Table of Contents
