Recipe 3.12. Dealing with System Security


Problem

You want to load a .swf from another domain into your application and allow it to have access to the ActionScript in the application.

Solution

Use one of the following: flash.system.Security.allowDomain( ), flash.system.Security.allowInsecureDomain( ), or a policy file.

Discussion

In many cases, all of the .swfs in a multi-.swf application would live on the same server (thus the same domain). There may be cases, however, when your application needs to load in an external .swf from another domain. In such a case, neither the .swf nor the loading application would be able to access the other's code. You can allow such access by using flash.system.Security.allowDomain( ), flash.system.Security.allowInsecureDomain( ), or a policy file.

The .swf that is going to be accessed must explicitly allow access by .swfs in the other domain. It does not matter which .swf is loading or being loaded. To clarify, call the .swf being accessed, accessed.swf, and the .swf doing the access, accessing.swf. Say accessing.swf lives on mydomain.com and loads in accessed.swf from otherdomain.com, into an object named content (see Figure 3-1).

Now, accessing.swf tries to access a variable called authorName from the loaded accessed.swf. At this point, accessed.swf complains and won't allow access by a .swf from another domain.

To overcome this, accessed.swf needs the following line:

flash.system.Security.allowDomain("http://mydomain.com");

This lets it know that it is alright to allow access by any .swf from that domain.

You should note that the permission is one-way. If the loaded .swf now needs access to some code in the .swf that loaded it, it would not be able to get at that code. In this case, the loading .swf would explicitly need to allow access to otherdomain.com.


Figure 3-1. Using Security.allowDomain


The domain can be text-based as in the previous examples, or can be a numeric IP address. It also supports wildcards. If, for some reason, you want to grant access to any .swf, anywhere, to access it, you can pass in the string "*". However, this effectively cuts out all cross-domain security that has been built into the player, and is not recommended.

If the accessed .swf file happens to be on a secure server accessed with https://, then by default it won't allow access to any .swf being loaded from a non-secure domain (http://), even if you have allowed access with flash.system.Security.allowDomain( ). In this case, use flash.system.Security.allowInsecureDomain( ) to allow access to a non-secure domain.

The method mentioned here requires you to hardcode the domain name or names into your .swf. This works fine if you know exactly which domains you will be allowing access from and that these are unlikely to change. However, if you later want to add or change the allowed domains, you have to change the code and recompile and redeploy the .swf. In a situation where this is likely to happen often, it is more efficient to create and use a policy file.

A policy file is an XML file that lists any domains that are allowed access to the code in the .swf. The format of the file can be seen here:

<?xml version="1.0"?> <!-- http://www.mydomain.com/crossdomain.xml --> <cross-domain-policy>   <allow-access-from domain="www.otherdomain.com" />   <allow-access-from domain="*.adobe.com" />   <allow-access-from domain="123.45.67.89" /> </cross-domain-policy>

As you can see, it just lists each domain to which you want to allow access. The file should be named crossdomain.xml. Prior to Flash 8, the file was required to live in the root directory of the domain of the .swf to which it applied. Now you can specify and load a policy file from any other location using flash.system.Security.loadPolicyFile( ). This takes a string defining the URL of the crossdomain.xml file you wish to load. This file should be loaded as an early action in your application, before you attempt to load any content from another domain. With this method, you can add, remove, or change allowed domains by simply rewriting the XML file.

As you can see, this method also supports wildcards. For example, if you wanted to allow access to any and all domains, you could use the following line:

<allow-access-from domain="*" />

And if you wanted to explicitly deny access to any domain except the current one, you can create an empty policy file:

<cross-domain-policy> </cross-domain-policy>




ActionScript 3. 0 Cookbook
ActionScript 3.0 Cookbook: Solutions for Flash Platform and Flex Application Developers
ISBN: 0596526954
EAN: 2147483647
Year: 2007
Pages: 351

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net