MACROMEDIA FLASH MX 2004 - ACTIONSCRIPT Reference Manual page 19

You have to make the following changes:
•
If the called SWF file is published for Flash Player 7, include
or
LocalConnection.allowDomain
name matching.
•
If the called SWF file is published for Flash Player 6, modify the called file to add or change a
System.security.allowDomain
domain-name matching, as shown in the code examples earlier in this section. You can publish
the modified file for either Flash Player 6 or 7.
•
If the called SWF file is published for Flash Player 5 or earlier, port the called file to
Flash Player 6 or 7 and add a
domain-name matching, as shown in the code examples earlier in this section.
(LocalConnection objects aren't supported in Flash Player 5 or earlier.)
HTTP to HTTPS protocol access between SWF files
As discussed in the previous section, rules for cross-domain and subdomain access have changed
in Flash Player 7. In addition to the exact-domain matching rules now being implemented, you
must explicitly permit files hosted at sites using a secure protocol (HTTPS) to be accessed by files
hosted at sites using an insecure protocol. Depending on whether the called file is published for
Flash Player 7 or Flash Player 6, you must implement either one of the
(see "Cross-domain and subdomain access between SWF files" on page
LocalConnection.allowInsecure Domain
statements.
Warning: Implementing an allowInsecureDomain() statement compromises the security offered
by the HTTPS protocol. You should make these changes only if you can't reorganize your site so that
all SWF files are served from the HTTPS protocol.
The following code shows an example of the kinds of changes you might have to make:
// Commands in a Flash Player 6 SWF file at https://www.someSite.com
// to allow access by Flash Player 7 SWF files that are hosted
// at http://www.someSite.com or at http://www.someOtherSite.com
System.security.allowDomain("someOtherSite.com");
my_lc.allowDomain = function(sendingDomain) {
return(sendingDomain=="someOtherSite.com");
}
// Corresponding commands in a Flash Player 7 SWF file
// to allow access by Flash Player 7 SWF files that are hosted
// at http://www.someSite.com or at http://www.someOtherSite.com
System.security.allowInsecureDomain("www.someSite.com",
"www.someOtherSite.com");
my_lc.allowInsecureDomain = function(sendingDomain) {
return(sendingDomain=="www.someSite.com" ||
sendingDomain=="www.someOtherSite.com");
}
You might also have to add statements like these to your files if you aren't currently using them.
A modification might be necessary even if both files are in same domain (for example, a file in
http://www.domain.com is calling a file in https://www.domain.com).
in the called SWF file, using exact domain-
or
LocalConnection.allowDomain
System.security.allowDomain
or
System.security.allowInsecureDomain()
Porting existing scripts to Flash Player 7
System.security.allowDomain
statement, using exact
statement, using exact
allowDomain
17), or use the new
statements
19