Security changes in Flash Player 7

Note: This article describes the security features in Flash Player 7,0,19,0. It is intended for historical purposes only. To remain up to date about Flash security, please read the latest security documents in the Flash Player Developer Center.

Overview of the Security Changes

Two restrictions to the Flash security model were added, starting with Flash Player 7:

• All operations require an exact domain match. Similar domains, such as www.mysite.com and store.mysite.com, are no longer considered a match. Domains must now match exactly.
• Flash SWF files served over HTTP (or other insecure protocols) are no longer allowed to access movies or data served over HTTPS.

In addition, we added a new permission mechanism which allows broader cross-domain cooperation. You can perform data loading (loadVariables, XML, XMLSocket, runtime shared libraries, Flash Remoting) from outside a movie's own domain as long as the server providing the data provides a policy file—a small XML file that grants cross-domain loading permissions.

Additional Changes in Flash Player 7r19

Flash Player 7r19 added the ActionScript API System.security.loadPolicyFile. Using this API, you can place policy files in arbitrary locations, rather than just the default location at the server root. With this API, you can also serve policy files directly from XMLSocket servers and specify XMLSocket connections to ports below 1024.

Page 1 of 6

Next Page

About the author