Recipe 3.12.
Dealing with System Security
Problem
You
want to load a .swf
from another domain into your application and allow it to have
access to the ActionScript in the application.
Solution
Use one of the following:
flash.system.Security.allowDomain( ),
flash.system.Security.allowInsecureDomain( ), or a policy
file.
Discussion
In many cases, all of the .swfs in a
multi-.swf application would live on the same server (thus the same domain). There
may be cases, however, when your application needs to load in an
external .swf from another domain. In such a case, neither
the .swf nor the loading application would be able to access
the other's code. You can allow such access by using flash.system.Security.allowDomain(
), flash.system.Security.allowInsecureDomain(
), or a policy file.
The .swf that is going to be accessed
must explicitly allow access by .swfs in the other domain. It does not matter which
.swf is loading or being loaded. To clarify, call the
.swf being accessed, accessed.swf, and the
.swf doing the access, accessing.swf. Say
accessing.swf lives on mydomain.com and loads in
accessed.swf from otherdomain.com, into an object
named content (see Figure
3-1).
Now, accessing.swf tries to access a
variable called authorName from the loaded
accessed.swf. At this point, accessed.swf complains
and won't allow access by a .swf from another domain.
To overcome this, accessed.swf needs the
following line:
flash.system.Security.allowDomain("http://mydomain.com");
This lets it know that it is alright to allow
access by any .swf from that domain.
|
You should note that the permission is one-way.
If the loaded .swf now needs access to some code in the
.swf that loaded it, it would not be able to get at that
code. In this case, the loading .swf would explicitly need
to allow access to otherdomain.com.
|
|
The domain can be text-based as in the previous
examples, or can be a numeric IP address. It also supports
wildcards. If, for some reason, you want to grant access to any
.swf, anywhere, to access it, you can pass in the string
"*". However, this effectively cuts out all cross-domain
security that has been built into the player, and is not
recommended.
If the accessed .swf file happens to be
on a secure server accessed with https://, then by default
it won't allow access to any .swf being loaded from a
non-secure domain (http://), even if you have allowed access with
flash.system.Security.allowDomain( ). In this case, use
flash.system.Security.allowInsecureDomain( ) to allow access
to a non-secure domain.
The method mentioned here requires you to
hardcode the domain name or names into your .swf. This works
fine if you know exactly which domains you will be allowing access
from and that these are unlikely to change. However, if you later
want to add or change the allowed domains, you have to change the
code and recompile and redeploy the .swf. In a situation
where this is likely to happen often, it is more efficient to
create and use a policy file.
A policy file
is an XML file that lists any
domains that are allowed access to the code in the .swf. The
format of the file can be seen here:
<?xml version="1.0"?>
<!-- http://www.mydomain.com/crossdomain.xml -->
<cross-domain-policy>
<allow-access-from domain="www.otherdomain.com" />
<allow-access-from domain="*.adobe.com" />
<allow-access-from domain="123.45.67.89" />
</cross-domain-policy>
As you can see, it just lists each domain to
which you want to allow access. The file should be named
crossdomain.xml. Prior to Flash 8, the file was required to
live in the root directory of the domain of the .swf to
which it applied. Now you can specify and load a policy file from
any other location using flash.system.Security.loadPolicyFile(
). This takes a string defining the URL of the
crossdomain.xml file you wish to load. This file should be
loaded as an early action in your application, before you attempt
to load any content from another domain. With this method, you can
add, remove, or change allowed domains by simply rewriting the XML
file.
As you can see, this method also supports
wildcards. For example, if you wanted to allow access to any and
all domains, you could use the following line:
<allow-access-from domain="*" />
And if you wanted to explicitly deny access to
any domain except the current one, you can create an empty policy file:
<cross-domain-policy>
</cross-domain-policy>
|