Apache Flex Flash Actionscript 3 Security

How to Call a Flex SWF from a Remote Domain Using Flash (AS3)

If you’ve ever worked with Flash and Flex, you may have encountered the dreaded SecurityError when attempting to call a SWF file from a different domain. This error, specifically Error #2119, can be a roadblock in your application development journey, preventing seamless interaction between SWFs hosted across different domains. Today, we will dive into the problem and explore how you can effectively tackle this issue using ActionScript 3 (AS3).

The Problem: Security Sandbox Violation

Imagine you have a Flex SWF hosted on one domain, let’s say, http://www.a.com/a.swf, and you want to load a different SWF, http://services.nuconomy.com/n.swf, from another domain. Your code might look something like this:

_loader = new Loader();
var req:URLRequest = new URLRequest("http://services.nuconomy.com/n.swf");
_loader.contentLoaderInfo.addEventListener(Event.COMPLETE,onLoaderFinish);
_loader.load(req);

However, upon execution, you get the following exception:

SecurityError: Error #2119: Security sandbox violation: caller http://localhost.service:1234/flashTest/Main.swf cannot access LoaderInfo.applicationDomain owned by http://www.b.com/b.swf.

This error generally arises because Flash Player enforces security sandbox restrictions that prevent SWF files served from different domains from interacting with each other directly.

The Solution: Granting Access with Security.allowDomain()

To allow cross-domain access, you’ll need to explicitly grant permission using the Security.allowDomain() method in ActionScript. Here’s how to effectively set up this solution:

Step 1: Modify the SWF You Are Trying to Load

In the SWF file that you are attempting to load (let’s call it http://services.nuconomy.com/n.swf), you will need to include the following code snippet:

import flash.system.Security;

// Allow the domain that will interact with this SWF
Security.allowDomain("http://localhost.service:1234");

Step 2: Implement Security.allowDomain() Properly

  • Multiple Domains: If your application needs to allow access from different domains, you can call Security.allowDomain() multiple times for each domain.
  • Best Practices: Be cautious with using allowDomain() extensively as it can expose your SWF file to security vulnerabilities. Only allow trusted domains.

Step 3: Testing Your Configuration

Once you have updated the SWF code, you can run your application again. If everything is set correctly, you should be able to load classes from the remote SWF without triggering any security violations.

Additional Resources

For further understanding, you can refer to Adobe’s extensive documentation on security in Flash. Check out The Adobe Flex 3 Programming ActionScript 3 PDF, particularly Chapter 27, which covers Flash Player Security and Cross-scripting.

Conclusion

Encountering security sandbox violations can be frustrating, especially when you’re trying to implement features that enhance your application’s functionality. Fortunately, with the Security.allowDomain() method, you can easily work around these restrictions and enable seamless communication across SWFs from different domains. Implement it carefully, ensure you grant access only to trusted domains, and you’ll be on your way to a successful integration.

Remember, secure coding practices are essential for maintaining the integrity of your applications in a connected environment.