Flex 2 Developer's Guide > Flex Programming Topics > Communicating with the Wrapper > About ExternalInterface API security in Flex

About ExternalInterface API security in Flex

Allowing Flex applications to call embedded scripts on HTML pages and vice versa is subject to stringent security constraints. By default, scripts on the HTML page can communicate only with ActionScript in a Flex application if the page and the application are in the same domain. You can expand this restriction to include applications outside of the domain.

Subtopics

About the call() method

The success of the call() method depends on the HTML page's use of the allowScriptAccess parameter. This parameter is not an ActionScript mechanism; it is an HTML parameter. Its value determines whether your Flex application can call JavaScript in the HTML page, and it applies to all functions on the page. The default value of allowScriptAccess only allows communication if the Flex application and the HTML page are in the same domain.

You set the allowScriptAccess property of the <object> and <embed> tags on the HTML page. On the <object> tag, set the property as follows:

<object id='SendComplexDataTypes' classid='clsid:D27CDB6E-AE6D-11cf-96B8-444553540000' codebase='http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,0,0' allowScriptAccess='always' height='100%' width='100%'>

On the <embed> tag, set the property as follows:

<embed name='SendComplexDataTypes.mxml.swf' pluginspage='http://www.macromedia.com/go/getflashplayer' src='SendComplexDataTypes.mxml.swf' allowScriptAccess='always' height='100%' width='100%' flashvars=''/>

The following table describes the valid values of the allowScriptAccess parameter:

About the addCallback() method

Flex prevents JavaScript methods from calling just any method in your application by requiring that you explicitly make the method callable. The default for all methods is to not be callable from JavaScript. The ExternalInterface API enables a SWF file to expose a specific interface that JavaScript can call.

By default, an HTML page can only communicate with the ActionScript in your Flex application if it originates from the same domain. You allow HTML pages outside of the Flex application's domain to call methods of your application using the allowDomain() method. For more information, see Adobe Flex 2 Language Reference.

Flex 2.01

Comments

Add Comment

sparky1962 said on May 7, 2007 at 11:02 AM :

if the HTML wrapper is loaded with HTTP and the SWF with HTTPS but from the same DNS domain, are they considered to be in separate 'domains'?

sparky1962 said on May 7, 2007 at 11:03 AM :

a reference to the Flash Player 9 Security Guide would be useful on this page as it has relevant info on this topic.

smgilson said on May 8, 2007 at 5:52 AM :

Here you go:

http://www.adobe.com/devnet/flashplayer/articles/flashsecurity.pdf

Stephen Gilson
Flex Doc Team

smgilson said on May 8, 2007 at 11:08 AM :

The answer is yes they are considered to be in separate domains, a crossdomain file will be needed to go between http and https.

Stephen Gilson
Flex Doc Team

FlexBird said on Oct 18, 2007 at 10:53 PM :

Is flex consider cross domain as different IP address?

smgilson said on Oct 22, 2007 at 9:24 AM :

The answer is yes. and... even if a named domain, such as http://example.com, maps to a specific IP address, such as http://192.0.34.166, Flash Player sets up separate security sandboxes for both.

Stephen Gilson
Flex Doc Team

dysonpro said on Mar 24, 2008 at 9:36 PM :

The object tag is in correct. It should be:
<object id='SendComplexDataTypes' classid='clsid:D27CDB6E-AE6D-11cf-96B8-444553540000' codebase='http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,0,0' height='100%' width='100%'>
<param name=allowScriptAccess value='always'/>
</object>

RSS feed | Send me an e-mail when comments are added to this page | Comment Report

Current page: http://livedocs.adobe.com/flex/201/html/passingarguments_086_19.html

Add Comment