Flash Player 8 security changes

Here are the security-related limitations in Flash Player 8 compared to the previous version:

• Local sandboxes: By default, local SWFs can no longer contact the Internet, perform HTTP communication, or communicate with local HTML files. If SWFs of Flash Player 7 or earlier attempt to perform any of these actions, users will see a warning dialog box that informs them that it cannot be done. The appearance of the dialog box, and breakages in existing content, can be remedied either by end users or by Flash developers by putting appropriate permissions in place.
• Loading restrictions: SWF and HTML content from non-local URLs may no longer load any content (SWF, HTML, PNG, and so on) from local paths.
• Third-party storage: Flash Player users may now choose to prevent third-party SWFs (those that come from different domains than the domain shown in the browser’s address bar) from reading or writing persistent shared objects. This restriction is not applied by default; users must proactively decide to apply it.
• allowScriptAccess default: For SWFs of Flash Player 8 and later, the default value for the HTML allowScriptAccess parameter is “sameDomain” rather than “always”. This does not affect SWFs of Flash Player 7 or earlier. The allowScriptAccess parameter controls whether SWFs may call out to JavaScript in HTML pages.

Among these four restrictions, allowScriptAccess is closely related to communicating with JavaScript. You can find more details about these changes in Deneb Meketa’s article, Security Changes in Flash Player 8.

The settings for allowScriptAccess are as follows:

• When allowScriptAccess is “never”, outbound scripting always fails
• When allowScriptAccess is “always”, outbound scripting always succeeds
• If allowScriptAccess is “sameDomain” (it is supported in SWFs from Flash Player 8), outbound scripting is allowed only if the SWF file resides in the same domain as the hosting web page
• If allowScriptAccess is not explicitly specified by an HTML page, the default value for the embedded SWF file is set to “sameDomain” in Flash Player 8 and to “always” in earlier versions

JavaScript functions can be called only from the same domain in a web page. However, when you test it locally and from another domain, the SWF file is set to allowScriptAccess = "always".

The following code is generated if you publish to HTML from Flash:

<html xmlns=”http://www.w3.org/1999/xhtml” xml:lang=”en” lang=”en”>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=iso-8859-1″ />
<title>allowScriptAccess</title>
</head>
<body bgcolor=”#ffffff”>
<!–url’s used in the movie–>
<!–text used in the movie–>
<!– saved from url=(0013)about:internet –>
<object classid=”clsid:d27cdb6e-ae6d-11cf-96b8-444553540000″
codebase=”http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
#version=8,0,0,0″ width=”550″ height=”400″ id=”allowScriptAccess” align=”middle”>
<param name=“allowScriptAccess” value=”sameDomain” />
<param name=”movie” value=”allowScriptAccess.swf” />
<param name=”quality” value=”high” />
<param name=”bgcolor” value=”#ffffff” />
<embed src=”allowScriptAccess.swf” quality=”high” bgcolor=”#ffffff”
width=”550″ height=”400″ name=”allowScriptAccess” align=”middle”
allowScriptAccess=”sameDomain” type=”application/x-shockwave-flash”
pluginspage=”http://www.macromedia.com/go/getflashplayer” />
</object>
</body>
</html>

You will need to change the code highlighted in the previous listing
from allowScriptAccess="sameDomain" to allowScriptAccess = "always".

Note: To let your local Flash content communicate with the Internet, read this Flash Player TechNote.