Outbound scripting and URL access (using HTTP URLs, mailto:, and so on) are achieved through use of the following ActionScript 3.0 APIs:
- The flash.system.fscommand() function
- The ExternalInterface.call() method
- The flash.net.navigateToURL() function
For SWF files running locally, calls to APIs are successful only if the SWF file and containing web pages are in the locally trusted security sandbox. Calls to these methods fail if the content is in the local-with-networking or local-with-file system sandbox.
The AllowScriptAccess parameter in the HTML code that loads a SWF file controls the ability to perform outbound URL access from within the SWF file. Set this parameter inside the PARAM or EMBED tag. If no value is set for AllowScriptAccess, the SWF file and the HTML page can communicate only if both are from the same domain.
The AllowScriptAccess parameter can have one of three possible values: "always," "sameDomain," or "never:"
- When AllowScriptAccess is "always," the SWF file can communicate with the HTML page in which it is embedded. This rule applies even when the SWF file is from a different domain than the HTML page.
- When AllowScriptAccess is "sameDomain," the SWF file communicates with the HTML page it's embedded in only when the SWF file is from the same domain. This value is the default value for AllowScriptAccess. To prevent a SWF file hosted from one domain from accessing a script in an HTML page on another domain, use this setting. Or, don't set a value for AllowScriptAccess,
- When AllowScriptAccess is "never," the SWF file cannot communicate with any HTML page. Using this value is deprecated and not recommended, and is unnecessary if you don't serve untrusted SWF files from your own domain. If it is necessary to serve untrusted SWF files, Adobe recommends that you create a distinct subdomain and place all untrusted content there.