Flash Security.AllowDomain()

Question

I've got a Flash movie, loading data from an external URL. In fact, it's a RSS reader inside a banner.

Everything works perfectly when the Flash movie and data URL are on the same domain. However, if the Flash movie is on another domain, Flash security kicks in.

The manual says that I can allow a domain trough Security.AllowDomain()

system.Security.allowDomain("http://www.mydomain.abc/")
xmlData = new XML();
xmlData.ignoreWhite = true;
xmlData.onLoad = loadXML;
xmlData.load("http://www.mydomain.abc/content.php");

But when I embed the .swf in a HTML page, the data won't load. Any tips how to debug or solve this?

Answer 1

I think you're misunderstanding the purpose of the method. As the docs: say, allowDomain:

Lets SWF files files in the identified domains access objects and variables in the SWF file that contains the allowDomain() call.

[...]

By calling Security.allowDomain("siteA.com"), siteB.swf gives siteA.swf permission to script it.

So the call you're making lets swf files on www.mydomain.abc script the swf with the call. You're basically saying, "I trust them to use me properly." It does not allow you to do what you're trying to do (load resources from that domain).

It doesn't make sense to let client code simply ask to bypass cross-domain security the way you're requesting. If all you have to do is ask, why even have the rule in the first place?

To do what you want, you could use either a crossdomain.xml file on www.mydomain.abc, or a server-side proxy. Essentially, the crossdomain.xml file would contain a line like:

<allow-access-from domain="www.yourswfdomain.com" />

, where www.yourswfdomain.com is the domain for the swf file. Obviously, this solution requires support from www.mydomain.abc.

Yahoo has information on setting up a server-side proxy. It's targetted towards XMLHttpRequest, but the same principles apply to Flash.

Answer 2

system.Security.allowDomain("www.mydomain.abc")

Don't add http://, it's domain,not url.

Answer 3

Fixed it. The Adobe Docs explains the method to create a file called crossdomain.xml in the root of mydomain.abc

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
    <allow-access-from domain="www.domain-of-swf.com" />
</cross-domain-policy>

Don't use <allow-access-from domain="*" /> because that will allow any SWF on the internet to make calls to your domain on behalf of your users with all cookies attached to requests. This will leak private data unless your domain doesn't store such or doesn't use cookies/HTTP Authentication.