ADOBE FLEX 3
Developer Guide
553
Event security
Events related to the display list have security access limitations, based on the sandbox of the display object that is
dispatching the event. An event in the display list has bubbling and capture phases (described in “Handling events”
on page 227). During the bubbling and capture phases, an event migrates from the source display object through
parent display objects in the display list. If a parent object is in a different security sandbox than the source display
object, the capture and bubble phase stops below that parent object, unless there is mutual trust between the owner
of the parent object and the owner of the source object. This mutual trust can be achieved by the following:
1 The SWF file that owns the parent object must call the Security.allowDomain() method to trust the domain
of the SWF file that owns the source object.
2 The SWF file that owns the source object must call the Security.allowDomain() method to trust the domain
of the SWF file that owns the parent object.
The LoaderInfo object that corresponds to a loaded file (and to the Loader object) includes the following two
properties, which define the relationship between the loaded object and the Loader object:
childAllowsParent and
parentAllowsChild.
For events that are dispatched from objects other than display objects, there are no security checks or security-related
implications.
Accessing loaded media as data
You access loaded data using methods such as BitmapData.draw() and SoundMixer.computeSpectrum(). By
default, a SWF file from one security sandbox cannot obtain pixel data or audio data from graphic or audio objects
rendered or played by loaded media in another sandbox. However, you can use the following methods to grant this
permission:
• In a loaded SWF file, call the Security.allowDomain() method to grant data access to SWF files in other
domains.
• For a loaded image, sound, or video, add a cross-domain policy file on the server of the loaded file. This policy
file must grant access to the domain of the SWF file that is attempting to call the
BitmapData.draw() or
SoundMixer.computeSpectrum() methods to extract data from the file.
The following sections provide details on accessing bitmap, sound, and video data.
Accessing bitmap data
The draw() method of a BitmapData object lets you draw the currently displayed pixels of any display object to the
BitmapData object. This could include the pixels of a MovieClip object, a Bitmap object, or any display object. The
following conditions must be met for the
draw() method to draw pixels to the BitmapData object:
• In the case of a source object other than a loaded bitmap, the source object and (in the case of a Sprite or
MovieClip object) all of its child objects must come from the same domain as the object calling the
draw() method,
or they must be in a SWF file that is accessible to the caller by having called the
Security.allowDomain() method.
• In the case of a Loaded bitmap source object, the source object must come from the same domain as the object
calling the
draw() method, or its source server must include a cross-domain policy file that grants permission to the
calling domain.
If these conditions are not met, a SecurityError exception is thrown.
Get ADOBE® FLEX® 3: PROGRAMMING ACTIONSCRIPT™ 3.0 now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
