Adobe Flex 3 Help

About ExternalInterface API security in Flex

Allowing Flex applications to call embedded scripts on HTML pages and vice versa is subject to stringent security constraints. By default, scripts on the HTML page can communicate only with ActionScript in a Flex application if the page and the application are in the same domain. You can expand this restriction to include applications outside of the domain.

About the call() method

The success of the call() method depends on the HTML page's use of the allowScriptAccess parameter. This parameter is not an ActionScript mechanism; it is an HTML parameter. Its value determines whether your Flex application can call JavaScript in the HTML page, and it applies to all functions on the page. The default value of allowScriptAccess only allows communication if the Flex application and the HTML page are in the same domain.

You set the allowScriptAccess property of the <object> and <embed> tags on the HTML page. On the <object> tag, set the property as follows:

<object id='SendComplexDataTypes' classid='clsid:D27CDB6E-AE6D-11cf-96B8-444553540000' codebase='http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab' allowScriptAccess='always' height='100%' width='100%'>

On the <embed> tag, set the property as follows:

<embed name='SendComplexDataTypes.mxml.swf' pluginspage='http://www.adobe.com/go/getflashplayer' src='SendComplexDataTypes.mxml.swf' allowScriptAccess='always' height='100%' width='100%' flashvars=''/>

The following table describes the valid values of the allowScriptAccess parameter:

Value

Description

never

The call() method fails.

sameDomain

The call() method succeeds if the calling application is from same domain as the HTML page. This is the default value.

always

The call() method succeeds, regardless of whether the calling application is in the same domain as the HTML page.

About the addCallback() method

Flex prevents JavaScript methods from calling just any method in your application by requiring that you explicitly make the method callable. The default for all methods is to not be callable from JavaScript. The ExternalInterface API enables a SWF file to expose a specific interface that JavaScript can call.

By default, an HTML page can only communicate with the ActionScript in your Flex application if it originates from the same domain. You allow HTML pages outside of the Flex application's domain to call methods of your application using the allowDomain() method. For more information, see the Adobe Flex Language Reference.