Macromedia observes a security principle sometimes known as an origin check or domain perimeter. In this case, the principle forbids ActionScript from loading XML data from third parties. More precisely, it inhibits a Flash program from downloading data from any URL that is not within the subdomain from which the Flash program itself was loaded. The subdomain is what we usually think of as an organization's domain name. In the case of a top-level domain (the TLDs are .com, .net, .org, .edu, .gov, .mil), a subdomain has two parts separated by a dot. The first part is the name and the second is the TLD itself:
In the case of a country domain, a subdomain generally requires three parts ”
”but in some countries two suffice:
In all these cases subsubdomains (prepended and separated by dots, like dov.jacobson.net ) and directories (appended and separated by slashes , like jacobson.net/jesse) are allowable locations for a target file ”they are still within the cardinal subdomain. But any file download from jackson.net/jesse would not be permitted. This applies not only to XML files, but to all data transfer ”even submovies loaded as swf files. It regulates these functions:
The reasoning behind this security principle seems obscure. Naturally, it prevents us from using ActionScript as a tool for crude DoS server attacks, and it impedes somewhat the theft of net content. But such crimes can easily be performed with other readily available technologies. Limiting the reach of ActionScript greatly reduces its utility in a world that is every day more interoperative. The rule is at once draconian and futile. If a telephone manufacturer made instru ments that would dial only members of your family, this policy would have the same problems. Vandals would still manage to make prank calls somehow, and the rest of us would be terribly inconvenienced.