Table of Contents
Advertisement
Use HTTPS-to-HTTP scripting, rather than HTTP-to-HTTPS scripting. In the scenario
described, you could store the contents of the user's shopping cart in catalog.swf, and have
cart.swf manage only the checkout process. At checkout time, cart.swf could retrieve the
cart contents from ActionScript variables in catalog.swf. The restriction on HTTP-to-
HTTPS scripting is asymmetrical; although an HTTP-delivered catalog.swf file cannot
safely be allowed to script an HTTPS-delivered cart.swf file, an HTTPS cart.swf file may
script the HTTP catalog.swf file. This approach is more delicate than the all-HTTPS
approach; you must be careful not to trust any SWF file delivered over HTTP, because of
its vulnerability to tampering. For example, when cart.swf retrieves the ActionScript
variable that describes the cart contents, the ActionScript code in cart.swf cannot trust
that the value of this variable is in the format that you expect. You must carefully validate
that the cart contents do not contain invalid data that might lead cart.swf to take an
undesired action. You must also accept the risk that a middle party, by altering catalog.swf,
could supply valid but inaccurate data to cart.swf; for example, by placing items in the
user's cart. The usual checkout process mitigates this risk somewhat by displaying the cart
contents and total cost for final approval by the user, but the risk remains present.
Web browsers have enforced separation between HTTPS and non-HTTPS files for years, and
the scenario described illustrates one good reason for this restriction. Flash Player gives you
the ability to work around this security restriction when you absolutely must, but be sure to
consider the consequences carefully before doing so.
For more information, see the following:
Chapter 17, "Understanding Security," in Learning ActionScript 2.0 in Flash
The Flash Player 8 Security white paper at http://www.macromedia.com/go/fp8_security
The Flash Player 8 Security-Related API white paper at http://www.macromedia.com/go/
fp8_security_apis
Availability: ActionScript 1.0; Flash Player 7
Parameters
- An exact domain name, such as www.myDomainName.com or
domain:String
store.myDomainName.com. In Flash Player 8, you can pass a wildcard ("*") to
System.security.allowInsecureDomain()
access to the calling SWF file. Do not use the wildcard unless you are certain that you want to
allow all domains, including local hosts, to access the HTTPS SWF file.
1064
ActionScript classes
to allow all domains, including local hosts,
- Quick Links:
- Compiler Directives
Hide quick links:
Advertisement
Table of Contents
Related Manuals for MACROMEDIA FLASH 8-ACTIONSCRIPT 2.0 LANGUAGE
Related Products for MACROMEDIA FLASH 8-ACTIONSCRIPT 2.0 LANGUAGE
- MACROMEDIA DREAMWEAVER 8-EXTENDING DREAMWEAVER
- MACROMEDIA DREAMWEAVER 8-GETTING STARTED WITH DREAMWEAVER
- MACROMEDIA DREAMWEAVER 8-DREAMWEAVER API
- MACROMEDIA FIREWORKS 8-USING FIREWORKS
- MACROMEDIA FLASH 8-DEVELOPING FLASH LITE 2.X
- MACROMEDIA FLASH 8-INTRODUCTION TO FLASH LITE 2.X ACTIONSCRIPT
- MACROMEDIA FLASH 8-LEARNING FLASH LITE 1.X ACTIONSCRIPT
- MACROMEDIA FLASH 8-COMPONENTS LANGUAGE
- MACROMEDIA STUDIO 8-EXPLORING STUDIO 8
- MACROMEDIA DREAMWEAVER 8
- MACROMEDIA FLASH MEDIA SERVER 2-CLIENT-SIDE ACTIONSCRIPT LANGUAGE REFERENCE FOR FLASH MEDIA SERVER 2
- MACROMEDIA FLASH MEDIA SERVER 2-SERVER MANAGEMENT ACTIONSCRIPT LANGUAGE
- MACROMEDIA FLASH MEDIA SERVER 2-SERVER-SIDE ACTIONSCRIPT LANGUAGE
- MACROMEDIA FLASH MX 2004-ACTIONSCRIPT LANGUAGE
- MACROMEDIA 38000382 - Macromedia JRun - Mac
- MACROMEDIA 38028779 - Macromedia Dreamweaver - Mac