Version: Flash Player 7
Flash Player 6 introduced a security sandbox that implemented the following restrictions:
Flash Player 7 tightens the security sandbox. In Flash Player 6, subdomains of the same parent domain could access each other's data. In Flash Player 7, data can only be accessed via the exact same domain from which the movie was loaded. For example, Flash Player 6 will allow a movie posted on games.moock.org to load an XML file from news.moock.org. But in Flash Player 7, that load attempt would fail.
Here's another, more serious example: in Flash Player 7 if you access a site with a shortened URL, such as "http://yoursite.com" (no "www"), movies on that site will not be able to load data from the site's full URL, "www.yoursite.com". This limitation affects Flash Player 6 format .swf files as well as Flash Player 7 format .swf files. If the .swf file is in Flash Player 6 (or earlier) format, then Flash Player 7 will display a warning dialog asking the visitor to allow the movie to access the external domain.
To automatically give a movie loaded from yoursite.com access to data on www.yoursite.com, you must use a cross-domain policy file. The following steps describe how the owner of yoursite.com would add a cross-domain policy file to her site, thus allowing data to flow from yoursite.com to www.yoursite.com, and vice versa.
The above technique can be used to give any external domain access to a site's data. For example, to give all movies posted at any subdomain of moock.org access to data on yoursite.com, we'd change the XML code in step 3 to:
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <allow-access-from domain="www.yoursite.com" /> <allow-access-from domain="yoursite.com" /> <allow-access-from domain="*.moock.org" /> </cross-domain-policy>
Once the above policy file is posted on yoursite.com's web root, all movies on moock.org (including www.moock.org, games.moock.org, etc) have access to yoursite.com's data. (Note the use of the wildcard "*" character in the policy file.)
A public web service provider such as amazon.com or google.com could allow any Flash movie to access its data using the following cross-domain policy file (again, note the wildcard):
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <allow-access-from domain="*" /> </cross-domain-policy>
If you run an XMLSocket server such as Unity, you must also use a cross-domain policy file so that movies on your site can connect to the server whether they are loaded via www.yoursite.com or yoursite.com. The cross-domain policy file must be served via HTTP from the same domain as the XMLSocket server. For example, if you are running a socket server on moock.org, then you must run a web server on moock.org with the following cross-domain policy file on the web server's document root:
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <allow-access-from domain="www.moock.org" /> <allow-access-from domain="moock.org" /> </cross-domain-policy>
Without that policy file, attempts to connect to the socket server at moock.org from a movie loaded from www.moock.org will fail.Note that cross-domain policy files do not affect the ability to script a loaded movie. That aspect of Flash Player security is still controlled by
For more information on cross-domain policy files, see the following Macromedia technotes:
See also the Macromedia Flash 2004 help, under "ActionScript Reference Guide > Working with External Data > Flash Player security features > About allowing cross-domain loading".