Recipe 18.4. Accepting
Local Communications from Other Domains
Problem
You want a movie to accept local connection communications from movies
served from other domains.
Solution
Use the allowDomain( ) method of the
receiving local connection object.
Discussion
By default, receiving movies accept
communications from sending movies on the same domain only.
However, you can use the allowDomain( ) method of a local
connection object to allow or disallow communications from any
domain. You need to call the allowDomain( ) method for each
receiving local connection object for which you wish to define a
custom list of domains to accept or deny.
The behavior of allowDomain( ) has
changed from previous versions of ActionScript. Before, the method
acted as a callback. It would automatically invoke when a local
connection object received a communication. Based on the return
value of the method, the communication was either accepted or
denied.
In ActionScript 3.0, the allowDomain( )
method needs to be explicitly called on a LocalConnection
instance. The method takes one or more strings, specifying the
domains that are allowed to send messages to the local connection
instance that allowDomain( ) is called from. In this
example, we specifically allow movies from darronschall.com
to send messages to the current movie.
var receiver:LocalConnection = new LocalConnection( );
receiver.connect( "_exampleChannel" );
// Allow movies from darronschall.com to send data over
// "_exampleChannel" to execute code within this movie.
receiver.allowDomain( "darronschall.com" );
To allow more than one domain to be able to send
data to a movie, pass additional parameters to the allowDomain(
) method with one string for each domain to allow:
receiver.allowDomain( "macromedia.com", "adobe.com", "google.com" );
There are two special domain strings that can be
used in allowDomain( ). To allow any domain, use ~
as the domain string. It is generally not a good practice to allow
communications from all domains, because doing so allows any other
movie to invoke an arbitrary method on your movie. It is better to
specify trusted domains from which to accept connections. To allow
any locally instantiated movie to send data, use localhost
as the domain string.
Local connection objects also provide a
convenient means of determining the domain of the receiving movie.
The domain property can be accessed from any local
connection instance to reveal the domain from which the movie is
being served. It is a read-only property, meaning you can only
inspect it. Trying to set domain results in a compiler
error. You can pass the domain to the allowDomain( )
method to allow communications from the same domain; for
example:
receiver.allowDomain( receiver.domain );
The preceding example accomplishes exactly the
same thing as though you had not called the allowDomain( )
method at all; it allows communications from the same domain only.
Normally, therefore, you use the allowDomain( ) method and
domain property to allow communications from the same domain
as well as communications from other domains:
receiver.allowDomain( "darronschall.com", receiver.domain );
The preceding code allows local connection
messages to be sent from darronschall.com, and also from the
same domain that the movie is served from.
Similar to the allowDomain( ) method is
the allowInsecureDomain( ) method. For the most part, the
methods are the same. The difference lies in the use of HTTPS. When
a movie is served over HTTPS, the local connection instances inside
won't accept data and communication from movies that are delivered
via HTTP. Unless the Flash Player is instructed otherwise via
allowInsecureDomain( ), by default communication from an
HTTP movie to an HTTPS movie is denied, even if the movies are
served from the same domain.
It is generally not good practice to use
allowInsecureDomain( ) because it can comprise the security
benefits offered by HTTPS. You can't trust the integrity of local
connection communication received from movies delivered over HTTP,
as it may be possible for the movie to be altered during delivery.
Nevertheless, if you must use allowInsecureDomain( ), call
it just like you would allowDomain( ) .
receiver.allowInsecureDomain( "adobe.com" );
See Also
Recipe
3.12
|