The New Restrictions

There are two areas where a Macromedia Flash movie can retrieve other documents from a URL:

• Movie loading: A Macromedia Flash movie loads another Macromedia Flash movie using the ActionScript method MovieClipLoader.LoadClip, loadMovie, or loadMovieNum.
• Data loading: A Macromedia Flash movie retrieves some other form of data, such as loading an XML document, retrieving the output of a loadVariables script, or connecting to an XMLSocket server.

The Macromedia Flash Player enforces certain cross-domain restrictions for these operations. All cross-domain restrictions compare the URL of the Macromedia Flash movie making the request with the URL it requests. If the two URLs come from the same domain, Macromedia Flash Player permits the operation. With movie loading, Macromedia Flash Player always permits the actual loadMovie operation, but if the URLs of the loading and loaded movie do not come from the same domain, then it does not allow the two movies to interact with each other’s ActionScript variables and methods. Data loading operations work differently; if the domains do not match, Macromedia Flash Player does not permit the operation at all.

Domain Matching Changes

Macromedia Flash Player 6 compared domains using superdomains. The superdomain of a domain is a similar domain that has the first component removed. For example, the superdomain of www.mysite.com is mysite.com.

Macromedia Flash Player 6 considered the domains www.mysite.com and store.mysite.com to be a match. A movie served from http://www.mysite.com/myMovie.swf could use ActionScript to interact with another movie loaded with the loadMovie method from http://store.mysite.com/anotherMovie.swf, or download an XML file from http://store.mysite.com/myData.xml.

In Macromedia Flash Player 7, however, www.mysite.com and store.mysite.com are not a match. The only domains that match are those that are identical—for example, www.mysite.com and www.mysite.com. The earlier examples are no longer permitted. You can modify the default Macromedia Flash Player security rules using permission mechanisms, which this article explains in further detail.

Note that web browsers have required exact domain matching for some time.

Protocol Matching Changes

In Macromedia Flash Player 6, domains were the only aspects of URLs that the Macromedia Flash Player examined. This meant that, for example, a movie served from http://www.mysite.com/myHttpMovie.swf could use ActionScript to interact with another movie loaded with loadMovie from https://www.mysite.com/mySecureMovie.swf, or download an XML file from https://www.mysite.com/mySecureData.xml.

In Macromedia Flash Player 7, a movie served over a nonsecure protocol, such as HTTP, cannot access other documents served over the secure HTTPS protocol, even when those documents come from the same domain. This means that the above examples are no longer permitted by default.

You can modify the default Macromedia Flash Player security rules by using permission mechanisms, which this article explains in further detail. However, Macromedia recommends against overriding the default HTTPS protection because doing so weakens the security offered by HTTPS.

HTTPS restriction is asymmetrical; movies served over HTTPS can access other documents served over insecure protocols.

Note that web browsers have protected HTTPS documents in the same way for some time.