accessibility
Macromedia Logo Upper Navigation Bar
 Help
Lower Navigation Bar
ProductsSupportDesigner DeveloperDownloadsStoreInternationalSite MapCompany
Home > Products > Flash > Support > TechNote Index
Macromedia Flash Support Center - TechNotes

Macromedia Flash Security Sandbox

Product: Flash
Platform: All
Versions: 6.0
ID: 16629
How useful was this document?
less more

1

2

3

4

5

How can the document be improved? (300 characters or less - you will not receive a reply.)

In an effort to ehance security, the Macromedia Flash Player 6 has implemented a Security Sandbox. This sandbox provides a restricted area that 'surrounds' a web site and restricts access to private data. There are some important security items to be aware of:
> For security reasons, a Macromedia Flash movie is not permitted to access ActionScript objects and variables in another Macromedia Flash movie loaded from a different Internet domain. This restriction includes functions, movie clips, text fields, and variables. Attempts to access cross-domain data will be ignored by the Macromedia Flash Player.
> Example 1:
http://www.macromedia.com/Movie1.swf loads http://www.macromedia.com/Movie2.swf into _level2.

Because the two movies reside in the same domain (www.macromedia.com), they are permitted to access each other's data via ActionScript.
>

Example 2:
http://www.macromedia.com/Movie1.swf now loads http://www.shockwave.com/Movie3.swf into _level3.

Because the two movies reside in different domains, they are NOT permitted to access each other's data. When Movie1.swf tries to access _level3.someVariable, the request will be rejected and "undefined" will be returned.

>

When using subdomains with Macromedia Flash's XML.load, XML.sendAndLoad , loadVariables and XMLSocket, domain names must match.

Under the Securirty Sandbox, two domains are considered compatible if they are subdomains of the same top-level domain (i.e., server1.mydomain.com is compatible with serverXYZ.mydomain.com).

>

Macromedia Flash Security Sandbox behavior is applied to Macromedia Flash 6 SWF files only. Macromedia Flash 4 and Macromedia Flash 5 SWF files will continue to function as before. For instance, a Macromedia Flash 5 SWF file is able to access variables in another Macromedia Flash 5 SWF file loaded from a different domain.

A Flash 6 SWF file, on the other hand, may not access variables in another Flash 6 SWF file loaded from a different domain.

Additionally, a Flash 4 or Flash 5 SWF file may not access variables in a Flash 6 SWF file loaded from a different domain

Additional Information
The security features documented in this TechNote were added to the Macromedia Flash Player at the request of developers. These enhanced security features were added to address potential issues with data transfer to and from Flash movies based upon consultation with industry experts.

For more information on Macromeida Flash Player's Security Sandbox, refer to the FlashMX Security Whitepaper.

To see the ActionScript Dictionary entry for System.security.allowDomain (the mechanism that permits cross-domain access between SWF files,) refer to the most recent Macromedia Flash MX Documentation. Download the latest updated documentation from Macromedia Flash MX Documentation Update (TechNote 16470).

For more information on Loading data across domains, refer to Loading data across domains (TechNote 16520).

For more information on Load Variables Security, refer to External data not accessible outside a Flash movie's domain (TechNote 14213).



Last updated: October 28, 2002
Keywords: security, sandbox, cross-domain, cross, domain, subdomain
Created: October 22, 2002
©1995-2002 Macromedia, Inc. All rights reserved.
Use of this website signifies your agreement to the Terms of Use.
Privacy | Site Map
| Contact us | Accessibility | Report Piracy