Flash Security.AllowDomain()

Gerrit picture Gerrit · Apr 16, 2010 · Viewed 27.1k times · Source

I've got a Flash movie, loading data from an external URL. In fact, it's a RSS reader inside a banner.

Everything works perfectly when the Flash movie and data URL are on the same domain. However, if the Flash movie is on another domain, Flash security kicks in.

The manual says that I can allow a domain trough Security.AllowDomain()

system.Security.allowDomain("http://www.mydomain.abc/")
xmlData = new XML();
xmlData.ignoreWhite = true;
xmlData.onLoad = loadXML;
xmlData.load("http://www.mydomain.abc/content.php");

But when I embed the .swf in a HTML page, the data won't load. Any tips how to debug or solve this?

Answer

Matthew Flaschen picture Matthew Flaschen · Apr 16, 2010

I think you're misunderstanding the purpose of the method. As the docs: say, allowDomain:

Lets SWF files files in the identified domains access objects and variables in the SWF file that contains the allowDomain() call.

[...]

By calling Security.allowDomain("siteA.com"), siteB.swf gives siteA.swf permission to script it.

So the call you're making lets swf files on www.mydomain.abc script the swf with the call. You're basically saying, "I trust them to use me properly." It does not allow you to do what you're trying to do (load resources from that domain).

It doesn't make sense to let client code simply ask to bypass cross-domain security the way you're requesting. If all you have to do is ask, why even have the rule in the first place?

To do what you want, you could use either a crossdomain.xml file on www.mydomain.abc, or a server-side proxy. Essentially, the crossdomain.xml file would contain a line like:

<allow-access-from domain="www.yourswfdomain.com" />

, where www.yourswfdomain.com is the domain for the swf file. Obviously, this solution requires support from www.mydomain.abc.

Yahoo has information on setting up a server-side proxy. It's targetted towards XMLHttpRequest, but the same principles apply to Flash.