Security Changes in Macromedia Flash Player 7
Note: This article concerns changes to the security model in Macromedia Flash 7.
Macromedia has made some changes to the cross-domain security model in Macromedia Flash Player 7. For the most part, the new restrictions apply only to movies made for the new player. However, data loading in older Macromedia Flash movies may stop working as intended when played in Macromedia Flash Player 7. This article explains how to fix this issue for existing movies, how to use policy files, and what the other security changes are.
An Overview of the Security Changes
Macromedia added two new restrictions to the Macromedia Flash security model, starting with Macromedia Flash Player 7:
- All operations require an exact domain match. Similar domains, such as www.mysite.com and store.mysite.com, are no longer considered a match. Domains must now match exactly.
- Macromedia Flash movies served over HTTP (or other insecure protocols) are no longer allowed to access movies or data served over HTTPS.
In addition, Macromedia added a new permission mechanism which allows broader cross-domain cooperation. You can now perform data loading (loadVariables, XML, XMLSocket, runtime shared libraries, Macromedia Flash Remoting) from outside a movie’s own domain as long as the server providing the data provides a policy file—a small XML file that grants cross-domain loading permissions.
Additional Changes in Flash Player 7r19
In version 7r19 of the Flash Player, Macromedia added the ActionScript API
System.security.loadPolicyFile. Using this API, you can place policy files in arbitrary locations, rather than just the default location at the server root. With this API, you can also serve policy files directly from XMLSocket servers and specify XMLSocket connections to ports below 1024.