Outbound scripting and URL access (using HTTP URLs, mailto:, and so on) are achieved through use of the following ActionScript 3.0 APIs:
For SWF files running locally, calls to APIs are successful only if the SWF file and containing web pages are in the locally trusted security sandbox. Calls to these methods fail if the content is in the local-with-networking or local-with-file system sandbox.
The AllowScriptAccess parameter in the HTML code that loads a SWF file controls the ability to perform outbound URL access from within the SWF file. Set this parameter inside the PARAM or EMBED tag. If no value is set for AllowScriptAccess, the SWF file and the HTML page can communicate only if both are from the same domain.
The AllowScriptAccess parameter can have one of three possible values: "always," "sameDomain," or "never:"
In addition to the security setting specified by the allowScriptAccess parameter discussed above, the navigateToURL() function has an optional second parameter. You can use this parameter, target, to specify the name of an HTML window or frame to send the URL request to. Additional security restrictions apply to such requests. The restrictions vary depending on whether navigateToURL() is being used as a scripting or non-scripting statement.
For non-scripting statements (HTTP, HTTPS, mailto:, and so on), the request fails if all the following conditions apply:
Keywords: AllowScriptAccess, Flash Player, Flash, Flex, fscommand, ExternalInterface, navigateToURL, sandbox; tn_16494