Version: Flash Player 6.0.47.0 - Flash Player 6.0.79.0
Date Added: February 18, 2003
Updated: September 9, 2003

In Flash Player 6 and later, a movie at one domain cannot load XML or variables from another domain. This limitation is part of the Flash Player "security sandbox" that generally limits a movie's access to content hosted at another domain. The sandbox restrictions (and ways to work around them) are described in Macromedia's technote 16520. In this article, we'll focus on one specific workaround that loads an XML file from foreign domain in Flash Player 6. For information on doing the same thing (much more easily) in Flash Player 7, see Cross Domain Policy Files.

The Restriction
A movie at domain "A" cannot load an XML file from domain "B".

The Flash Player 6 Workaround
Use a Flash movie on domain "B" as a proxy that loads the XML file. (Macromedia calls this proxy movie a "shim SWF").

The proxy movie technique works in Flash Player 6.0.47.0 and later only, and is superceded by a newer technique in Flash Player 7. Earlier releases of Flash Player 6 had a bug that thwarted the workaround. You must have control over both domains in order to use the proxy movie technique. If you don't, you will have to resort to a server-side proxy, as discussed in Macromedia's technote 16520.

How to Load XML with a Proxy Movie
In this example, we'll work with three files: main.swf, posted at moock.org; xmlloader.swf, posted at graydient.com, and newsfeed.xml, posted at graydient.com (download files). The movie main.swf loads newsfeed.xml as follows:

1. main.swf loads xmlloader.swf into _level1:

   // Load the proxy movie.
   loadMovieNum("http://www.graydient.com/xmlloader.swf", 1);

2. xmlloader.swf invokes System.security.allowDomain() to allow movies posted at moock.org access to its data:

   // Let moock.org read our data.
   System.security.allowDomain("moock.org");

3. xmlloader.swf loads newsfeed.xml into an XML instance:

   // Create the XML instance.
   var doc = new XML();
   
   // Create a callback to display load results.
   doc.onLoad = function (success) {
     if (success) { 
       out.text = "Loaded: " + this; 
     } else {
       out.text = "Load failed.";
     }
   
   };
   
   // Load an XML file into the XML instance.
   doc.load("http://www.graydient.com/newsfeed.xml");

4. main.swf uses setInterval() to display the content of the XML instance once the XML file has loaded:

   // Invoke displayXML() every 200 milliseconds.
   var intID = setInterval(displayXML, 200);
   
   // Function to display XML.
   function displayXML () {
     if (_level1.doc == undefined) {
       msg.text = "Waiting for load to start..." + "\n";
       return;
     } 
   
     if (_level1.doc.loaded == false) {
       msg.text = "Loading: " 
                + _level1.doc.getBytesLoaded() 
                + "/" + _level1.doc.getBytesTotal() + "\n";
     } else {
       msg.text += "Done loading. From main.swf, doc is: \n   " 
                + _level1.doc;
       // Stop invoking displayXML().
       clearInterval(intID);
     }
   }

in action
here's what the proxy movie technique looks like:

Note that if you are running a debugging version of Flash Player 6, you will see the following text appear in the Flash Player Debug Console:

*** Security Sandbox Violation ***
SecurityDomain 'http://www.moock.org/asdg/technotes/crossDomainLoad/xmlProxyMovie/main.swf' tried to access incompatible context 'http://www.graydient.com/xmlloader.swf'

This is expected behaviour that affects the debugging version of Flash Player 6 only. The debugging Player is installed when you install the Flash MX authoring tool, and can be downloaded from Macromedia's Flash Support site, but is not distributed to the public at large. You can check if you have a debugging Player installed here.