Programming ActionScript 3.0
Flash Player security > Controlling access to scripts in a host web page

Controlling access to scripts in a host web page

Outbound scripting is achieved through use of the following ActionScript 3.0 APIs:

• The flash.system.fscommand() function
• The flash.net.navigateToURL() function (when specifying a scripting statement, such as navigateToURL("javascript: alert('Hello from Flash Player.')")
• The flash.net.navigateToURL() function (when the window parameter is set to "_top", "_self", or "_parent")
• The ExternalInterface.call() method

For SWF files running locally, calls to these methods are successful only if the SWF file and the containing web page (if there is one) are in the local-trusted security sandbox. Calls to these methods fail if the content is in the local-with-networking or local-with-filesystem sandbox.

The AllowScriptAccess parameter in the HTML code that loads a SWF file controls the ability to perform outbound scripting from within a SWF file.

Set this parameter in the HTML code for the web page that hosts a SWF file. You set the parameter in the PARAM or EMBED tag.

The AllowScriptAccess parameter can have one of three possible values: "always", "sameDomain", or "never":

• When AllowScriptAccess is "sameDomain", outbound scripting is allowed only if the SWF file and the web page are in the same domain. This is the default for AVM2 content.
• When AllowScriptAccess is "never", outbound scripting always fails.
• When AllowScriptAccess is "always", outbound scripting always succeeds.

If the AllowScriptAccess parameter is not specified for a SWF file in an HTML page, it defaults to "sameDomain" for AVM2 content.

Here is an example of setting the AllowScriptAccess tag in an HTML page:

<object id='MyMovie.swf' classid='clsid:D27CDB6E-AE6D-11cf-96B8-444553540000' codebase='http://download.adobe.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,0,0' height='100%' width='100%'>
<param name='AllowScriptAccess' value='never'/>
<param name='src' value=''MyMovie.swf'/>
<embed name='MyMovie.swf' pluginspage='http://www.adobe.com/go/getflashplayer' src='MyMovie.swf' height='100%' width='100%' AllowScriptAccess='never'/>
</object> 

The AllowScriptAccess parameter can prevent a SWF file hosted from one domain from accessing a script in an HTML page that comes from another domain. Using AllowScriptAccess="never" for all SWF files hosted from another domain can ensure the security of scripts located in an HTML page.

For more information, see the following entries in the ActionScript 3.0 Language and Components Reference:

• The flash.system.fscommand() function
• The flash.net.navigateToURL() function
• The call() method of the ExternalInterface class

View comments on LiveDocs