System.security.allowDomain( ) Method

ActionScript for Flash MX: The Definitive Guide, 2nd Edition
By Colin Moock
Chapter 18.  ActionScript Language Reference
System.security.allowDomain( ) Method Flash 6

sets cross-domain movie permissions
System.security.allowDomain(domain1, domain2,...domainn)

Arguments

domain1, ...domainn

A list of one or more domains for which access to the movie should be granted.

Description

The security property is a reference to the built-in Security object, which defines a single important method, allowDomain( ). We use allowDomain( ) to grant movies at other domains access to the current movie. Though security limitations have been a part of the Flash Player since version 4, Flash 6 formalizes the concept of the security sandbox. Under the rules of the sandbox, a movie hosted at one domain cannot:

  • Invoke methods or functions in a movie loaded from another domain

  • Access data (user-defined variables, user-defined properties, and nested movie clips) in a movie loaded from another domain

  • Load XML or variables from another domain via the LoadVars class, loadVariables( ), XML.load( ), or XML.sendAndLoad( )

  • Connect to an XMLSocket server on another domain

By default, the security sandbox is active, and all attempts to perform the above operations are ignored by Flash Player 6. Using allowDomain( ), we can override these restrictions.

The allowDomain( ) method is invoked by the movie that wishes to grant access to a particular domain or domains, specified by domain1, domain2, ...domainn. For example, suppose Graham posts his resume, grayResume.swf, on graydient.com and wants to allow jobBoard.swf, posted on moock.org, to access it. On the first frame of grayResume.swf, he must use allowDomain( ) to grant movies at moock.org access, as follows:

System.security.allowDomain("moock.org");

Once moock.org has been added to grayResume.swf's list of trusted domains, jobBoard.swf (at moock.org) can load grayResume.swf from graydient.com and set its variables, stop its playhead, or otherwise manipulate it without any security limitations. For example:

// Make a container into which to load grayResume.swf this.createEmptyMovieClip("holder", 1); // Load grayResume.swf holder.loadMovie("http://www.graydient.com/grayResume.swf");     // Create a preloader that detects when the movie has loaded var preloadInterval = setInterval(setText, 1000);     // Function to be called every second. When the movie has loaded,  // the function assigns it some text and stops its playhead. function setText () {   if (holder._framesloaded > 0 && holder._framesloaded =  = holder._totalframes) {     // Stop the loaded movie     holder.stop();     // Assign some text     holder.subtitle_txt.text = "Gray's resume brought to you by moock.org.";     // Stop the load checker     clearInterval(preloadInterval);   } }

Movies that are hosted at the same domain are not affected by sandbox restrictions. Table 18-21 demonstrates when the security sandbox comes into effect. To check the domain of the current movie, use LocalConnection.domain( ).

Table 18-21. Domain-based security restrictions

Domain of movie origin

Host to connect to

Permitted?

Permitted via allowDomain( )?

www.somewhere.com

www.somewhere.com

Yes

Yes

www.somewhere.com

other.somewhere.com

Yes

Yes

www.somewhere.com

somewhere.com

Yes

Yes

somewhere.com

www.somewhere.com

Yes

Yes

www.somewhere.com

www.elsewhere.com

No

Yes

For backward compatibility, Flash 4 and Flash 5 movies loaded from different domains into Flash Player 6 can still access each other's data (as was possible in the older versions of the Player). However, a Flash 5 movie cannot access the data in a Flash 6 movie loaded from a different domain, nor vice versa.

The allowDomain( ) method cannot directly override security restrictions on loading XML, loading variables, or communicating over XMLSocket. However, it is possible to load XML or variables from a different domain by using a movie on that domain as a proxy for communications. For example, suppose main.swf at moock.org wants to load a file, newsFeed.xml, from graydient.com. The main.swf file must load a proxy movie, xmlloader.swf, from graydient.com. Then, xmlloader.swf must load the newsFeed.xml file and use allowDomain( ) to grant moock.org access to it. The main.swf movie can then access the loaded data via xmlloader.swf. Unfortunately, at the time of writing, a bug prevents this proxy-movie system from working in the current build of Flash Player 6 (6.0.61.0). Macromedia is aware of the issue and is working to address it.

XML and loaded variable security can also be circumvented with a either a DNS alias or a server-side proxy script that acts as a go-between for Flash and the external site. For more information, see:

http://www.macromedia.com/support/flash/ts/documents/loadvars_security.htm
http://www.macromedia.com/support/flash/ts/documents/load_xdomain.htm

A Flash client at one domain can connect to an XMLSocket server on a different domain by using a movie on the server's domain as a proxy for communications (the bug mentioned earlier does not affect XMLSocket communications). For example, suppose a chat socket server is running on moock.org. The owner of graydient.com wants to post a chat movie (chat.swf) at graydient.com that uses moock.org's chat server.

The owner of moock.org must create a proxy movie for graydient.com by following these steps:

  1. Create a movie called socketObject.swf.

  2. On frame 1 of socketObject.swf, add the following code:

    // Grant access to graydient.com System.security.allowDomain("graydient.com"); // Create the XMLSocket object. This must be done here. sock = new XMLSocket();
  3. Post socketObject.swf at moock.org (the socket server's domain).

From chat.swf, the owner of graydient.com must use the socketObject.swf proxy movie to communicate with moock.org's socket server, as follows:

  1. On frame 1 of chat.swf, load socketObject.swf onto level 1 (any level or target will work):

    loadMovieNum("http://www.moock.org/socketObject.swf", 1);
  2. Once socketObject.swf has loaded, use the _level1.sock object to connect to and communicate with the socket server. For example:

    // Create an output text field this.createTextField("out_txt", 1, 100, 100, 400, 100); out_txt.border = true;     // Set callback to handle connection _level1.sock.onConnect = function (success) {   out_txt.text += ("\n Connected: " + success); } // Set callback to handle incoming XML _level1.sock.onXML = function (doc) {   out_txt.text += ("\n XML arrived: " + doc); } // Make the connection _level1.sock.connect("moock.org", 2001);     // Code for a button that sends XML to the socket server sendMessage_btn.onPress = function () {   _level1.sock.send("<MESSAGE>hello world</MESSAGE>"); }

A movie running off the local filesystem in the Flash Standalone Player or browser-based Player (i.e., plugin) is not subject to the security sandbox. It can load XML or variables from any domain, and it can control and access the data of any movie it loads. However, the opposite is not true. For example, if a local movie loads another movie, booklist.swf, from oreilly.com, booklist.swf cannot access or control the local movie unless the local movie includes the following call to allowDomain( ):

System.security.allowDomain("oreilly.com");

The general rule of thumb is, "local can control loaded, but loaded cannot control local."

Note that built-in properties, such as _framesloaded and _x, are not restricted by the sandbox. For example, a movie that loads another movie can change the position of the loaded movie regardless of its domain of origin.

See Also

loadMovie( ), loadVariables( ), the LoadVars class, XML.load( ), XML.sendAndLoad( ), the XMLSocket class



    ActionScript for Flash MX. The Definitive Guide
    ActionScript for Flash MX: The Definitive Guide, Second Edition
    ISBN: 059600396X
    EAN: 2147483647
    Year: 2002
    Pages: 780
    Authors: Colin Moock

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net