535
Chapter 27: Flash Player security
Security is a key concern of Adobe, users, website owners, and content developers. For this reason, Adobe®Flash™
Player 9 includes a set of security rules and controls to safeguard the user, website owner, and content developer. This
chapter discusses how to work with the Flash Player security model when you are developing applications. In this
chapter, all SWF files discussed are assumed to be published with ActionScript™ 3.0 (and thus running in Flash Player
9 or later), unless otherwise noted. For information about Adobe AIR security issues, see AIR Security in Developing
Adobe AIR Applications with Flash CS3 Professional or Developing AIR Applications with Adobe Flex 3
This chapter is intended as an overview of security; it does not try to comprehensively explain all implementation
details, usage scenarios, or ramifications for using certain APIs. For a more detailed discussion of Flash Player
Security concepts, see the Flash Player 9 Security white paper, at www.adobe.com/go/fp9_0_security.
Contents
Flash Player security overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
Overview of permission controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
Security sandboxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Restricting networking APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Full-screen mode security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Loading content. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
Cross-scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
Accessing loaded media as data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
Loading data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555
Loading embedded content from SWF files imported into a security domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
Working with legacy content. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
Setting LocalConnection permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
Controlling access to scripts in a host web page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
Shared objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559
Camera, microphone, clipboard, mouse, and keyboard access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560
Flash Player security overview
Much of Flash Player security is based on the domain of origin for loaded SWF files, media, and other assets. A SWF
file from a specific Internet domain, such as www.example.com, can always access all data from that domain. These
assets are put in the same security grouping, known as a security sandbox. (For more information, see “Security
sandboxes” on page 543.)
For example, a SWF file can load SWF files, bitmaps, audio, text files, and any other asset from its own domain. Also,
cross-scripting between two SWF files from the same domain is always permitted, as long as both files are written
using ActionScript 3.0. Cross-scripting is the ability of one SWF file to use ActionScript to access the properties,
methods, and objects in another SWF file. Cross-scripting is not supported between SWF files written using Action-
Script 3.0 and those using previous versions of ActionScript; however, these files can communicate by using the
LocalConnection class. For more information, see “Cross-scripting” on page 550.

Get ADOBE® FLEX® 3: PROGRAMMING ACTIONSCRIPT™ 3.0 now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.