Adobe Flash Player security basics
What's covered
The following TechNote outlines basic security restrictions associated with Adobe Flash Player.
Local vs. network access
When an SWF file is being played on a user's hard drive (including from a CD or other local drive), either from the standalone player or through a browser or web page loading the SWF from a local folder on your machine (projectors or other executables are not affected), by default Flash Player is only allowed to access either local content (C:\ and so forth) or internet or network content (http:// and so forth).
When accessing local content, this is known as the local-with-filesystem sandbox. When accessing network content, this is known as the local-with-networking sandbox.
The only way an SWF file can access both local content and network content and be in what is known as the local-trusted sandbox is if it is given explicit permission to do so. This includes:
- SWFs run within Flex Builder 2 or the Flash Authoring environment
- SWFs located in a directory the user has granted permissions for from the (online only) Global Security Settings Panel.
- SWFs located in a directory specified in a Flash Player trust configuration (.cfg) file on the local system
Flash developers simply do not have enough control over permissions to ensure a local-trusted sandbox (allowing access to both the local file system and the network).
When publishing an SWF file, Flash developers can decide between with-filesystem and with-networking capabilities in the Flash tab of a FLA's Publish Settings.
For Flex 2, this is done using the -use-network compiler argument where a value of true represents local-with-networking and false represents local-with-filesystem.
Note: A SWF file with a sandbox of local-with-filesystem is not allowed to load a SWF with a sandbox of local-with-networking, nor the other way around.
Related documentation:
"How do I let local Flash content communicate with the Internet?" (TechNote 4c093f20)
Cross-domain access
For non-local playback, when an SWF fileis running from the internet or on the network from a server (remote sandbox), security restrictions apply to SWF files on different domains. An SWF filein a remote sandbox can never access local files.
Restrictions for content are in place for accessing data (via ActionScript) of content from different domains. Any non-data content such as SWFs, bitmaps, audio, and video can be loaded and played or displayed within the Flash player without restriction. Obtaining access to data from that content such as ActionScript variables and methods, pixel information (from BitmapData.draw()), or sound information (from Sound.computeSpectrum()) or loading data stored in text or XML files is restricted.
For ActionScript cross-scripting, the allowDomain() (ActionScript 2.0, ActionScript 3.0) command is used to allow one SWF from another domain access ActionScript properties and methods within the current SWF.
Related documentation:
"Loading data across domains" (TechNote tn_16520)
System.security.allowDomain() in ActionScript 2.0
Security.allowDomain() in ActionScript 3.0
For non-SWF content, a cross-domain policy file is used. For bitmaps, audio, and video content, the cross-domain policy file is only needed to access the content's data via ActionScript. These files will otherwise be able to load into the Flash player without problems. For XML and other text files which are considered to be entirely data, the cross-domain policy file is required to load the file.
Related documentation:
"External data not accessible outside an Adobe Flash movie's domain" (TechNote tn_14213)
Accessing loaded media as data (ActionScript 3.0)
Additional information
For a more complete description of the Adobe Flash Player 9 security model, read the Flash Player 9 security white paper. Additional information regarding security can be found by visiting the Flash Player security and privacy page.
Changes made to Flash player security by release can be found here:
This content requires Flash
To view this content, JavaScript must be enabled, and you need the latest version of the Adobe Flash Player.
Download the free Flash Player now!
