TechNote (Archived)

Controlling access to scripts in a host web page

Outbound scripting and URL access (through the use of HTTP URLs, mailto: and so on) are achieved through use of the following ActionScript 3.0 APIs:

The flash.system.fscommand() function
The ExternalInterface.call() method
The flash.net.navigateToURL() function

For SWF files running locally, calls to these APIs are successful only if the SWF file and the containing web page (if there is one) are in the local-trusted security sandbox. Calls to these methods fail if the content is in the local-with-networking or local-with-filesystem sandbox.

The AllowScriptAccess parameter in the HTML code that loads a SWF file controls the ability to perform outbound URL access from within the SWF file. Set this parameter inside the PARAM or EMBED tag. If no value is set for AllowScriptAccess, the SWF file and the HTML page can communicate only if both are from the same domain.

The AllowScriptAccess parameter can have one of three possible values: "always", "sameDomain", or "never":

When AllowScriptAccess is "always", the SWF file can communicate with the HTML page in which it is embedded even when the SWF file is from a different domain than the HTML page.
When AllowScriptAccess is "sameDomain", the SWF file can communicate with the HTML page in which it is embedded only when the SWF file is from the same domain as the HTML page. This is the default value for AllowScriptAccess. Use this setting, or do not set a value for AllowScriptAccess, to prevent a SWF file hosted from one domain from accessing a script in an HTML page that comes from another domain.
When AllowScriptAccess is "never", the SWF file cannot communicate with any HTML page. Using this value is deprecated and not recommended, and shouldn’t be necessary if you don’t serve untrusted SWF files from your own domain. If you do need to serve untrusted SWF files, Adobe recommends that you create a distinct subdomain and place all untrusted content there.

Using the navigateToURL() function

In addition to the security setting specified by the allowScriptAccess parameter discussed above, the navigateToURL() function has an optional second parameter - target - that can be used to specify the name of an HTML window or frame to send the URL request to. Additional security restrictions apply to such requests, and the restrictions vary depending on whether navigateToURL() is being used as a scripting or non-scripting statement.

For scripting statements, such as navigateToURL("javascript: alert('Hello from Flash Player.')"), the following rules apply.

If the SWF file is a locally trusted file, the request succeeds.
If the target is the HTML page in which the SWF file is embedded, the allowScriptAccess rules described above apply.
If the target holds content loaded from the same domain as the SWF file, the request succeeds.
If the target holds content loaded from a different domain than the SWF file, and neither of the previous two conditions is met, the request fails.

For non-scripting statements (HTTP, HTTPS, mailto: and so on), the request fails if all of the following conditions apply:

The target is one of the special keywords "_top" or "_parent", and
the SWF file is in a web page hosted from a different domain, and
the SWF file is embedded with a value for allowScriptAccess that is not "always".