Security Restrictions for Cross-Movie Scripting

Cross-movie scripting occurs when one Flash movie loads another Flash movie using MovieClipLoader.LoadClip, loadMovie, or loadMovieNum, and then one of the movies uses ActionScript to examine or modify variables in the other movie, or calls functions or methods in the other movie. By default, cross-movie scripting is only permitted with movies that come from the same domain. Movies are always allowed to load other movies from anywhere they wish but security restrictions may prevent those movies from communicating with each other.

Cross-movie scripting also occurs when an HTML page uses JavaScript (or another scripting language) to script a Macromedia Flash movie—for example, by calling SetVariable or GetVariable. Macromedia Flash Player only permits this operation when the HTML page is from the same domain as the Macromedia Flash movie it attempts to script.

Applying the New Rules

Macromedia Flash Player 7 requires that movies must come from exactly the same domain to be able to script one another. In addition, movies that are served over nonsecure protocols, such as HTTP, cannot script movies that are served over HTTPS (the reverse is not true: HTTPS movies may script HTTP movies). The same restrictions apply to HTML pages scripting Macromedia Flash movies.

These new rules apply only when one or both of the movies are made for Macromedia Flash Player 7. If both movies are made for Macromedia Flash Player 6 or earlier, Macromedia Flash Player 7 uses the old rules. Note that the old rules permit movies from the same superdomain to script each other; they also permit HTTP movies to script HTTPS movies.

When two movies are from different domains, Macromedia Flash Player ensures that the two movies have different copies of the ActionScript global object. The global object is usually implicitly referenced. For example, all objects in the Macromedia Flash Player standard library, such as MovieClip, Array, and so forth, are part of the global object. The global object also holds global variables created by assigning properties to _global. Separating global objects between movies from different domains has occurred since Macromedia Flash Player 6. However, Macromedia Flash Player 7 introduces a new restriction: movies made for Macromedia Flash Player 6 or earlier can never share a global object with movies made for Macromedia Flash Player 7 or later, even when the movies are from the same exact domain and protocol. This may have subtle repercussions for sites that mix movies made for Macromedia Flash Player 6 and 7.

Granting Cross-Movie Scripting Permissions

If you have movies that you will serve from different domains and you want the movies to be able to script each other, you can grant cross-domain scripting permission. You do this by using the ActionScript method System.security.allowDomain, which has existed since Macromedia Flash Player 6 but takes on slightly different behavior in Flash Player 7.

If you have a movie at http://www.mysite.com/controller.swf that needs to load another movie from http://utility.flashutils.com/helper.swf and call methods defined in helper.swf, Macromedia Flash Player 7 allows the process as long as you put the following ActionScript in helper.swf:

System.security.allowDomain( "www.mysite.com" );

Ensure that you understand the consequences of calling System.security.allowDomain. The above ActionScript permits any movie from the www.mysite.com domain to script any movie from the utility.flashutils.com domain.

When a movie made for Macromedia Flash Player 6 calls System.security.allowDomain and another movie made for Flash Player 6 or earlier performs cross-movie scripting on that movie, System.security.allowDomain works with superdomains. For example, with the above ActionScript, any movie from www.mysite.com, store.mysite.com, and so forth can cross-script any movie from utility.flashutils.com, www.flashutils.com, and so forth. When either the movie calling System.security.allowDomain or the movie performing cross-movie scripting is made for Macromedia Flash Player 7 or later, System.security.allowDomain interprets domains exactly. This means that the above ActionScript would only permit movies from www.mysite.com to access movies from utility.flashutils.com.

When a movie made for Macromedia Flash Player 6 calls System.security.allowDomain, this permits non-HTTPS Flash movies of any version from the permitted domain to access HTTPS movies in the domain of the granting movie. For example, the above ActionScript would permit any Macromedia Flash 7 movie from www.mysite.com to script HTTPS movies in the utility.flashutils.com domain.

In contrast, when a movie made for Macromedia Flash Player 7 or later calls System.security.allowDomain, this does not permit cross-scripting of HTTPS movies by non-HTTPS movies. To grant permission for movies made in version 7 or later, you must call the new System.security.allowInsecureDomain method. If you have a movie at http://www.mysite.com/controller.swf that needs to load another movie from https://secure.mysite.com/creditcard.swf and call methods in creditcard.swf, Macromedia Flash Player 7 will permit the operation as long as you put the following in ActionScript in creditcard.swf:

System.security.allowInsecureDomain
( "www.mysite.com" );

Macromedia does not recommend this practice, because allowing non-HTTPS documents to access HTTPS documents can compromise the security offered by HTTPS. It is preferable to serve over HTTPS all Macromedia Flash movies that require scripting access to HTTPS movies. However, if using HTTPS for all your movies is prohibitively expensive or impractical, System.security.allowInsecureDomain will override the Macromedia Flash Player default HTTPS protection.