Issue

fscommand and getURL("javascript:...") no longer functions in Flash Player versions greater than 9.0.115.0.

Starting with Flash Player versions greater than 9.0.115.0 any configuration in which ALL of the following are true may stop working as intended:

  • The SWF file was published for Flash Player 7 or earlier
  • The HTML that sources the SWF file does not specify a value for the AllowScriptAccess parameter in the object/embed tags
  • The HTML and SWF files are served from different domains, or from different hostnames within the same domain. For example, an HTML page on www.mysite.com sources a SWF file from www.anothersite.com, or from content.mysite.com
  • The ActionScript code in the SWF file calls JavaScript code in the HTML file, using either fscommand() or getURL("javascript:...")

Other cases that may be impacted include:

  • SWF8 or later parent SWF loading a remote SWF7 and earlier child
  • Hosting a SWF without surrounding HTML

See the Diagnosis section for instructions to determine if your site may be affected by this change

Reason

Flash Player versions greater than 9.0.115.0 will change the default value of a permission mechanism called AllowScriptAccess for content published for Flash Player 7 or earlier from "always" to "sameDomain". Adobe has changed this default in order to offer better security in Flash Player by default.

AllowScriptAccess is an HTML property of the <object>/<embed> tags that embed a SWF file. It protects an HTML file from a potentially untrusted SWF file, by controlling the ability of that SWF file to call JavaScript code in the surrounding HTML file. AllowScriptAccess has three possible values: "always", "sameDomain", and "never". The "always" and "never" values unconditionally turn JavaScript access on or off, respectively, for the SWF file contained in the tags where AllowScriptAccess appears. The "sameDomain" value turns JavaScript access on only if the SWF file is served from the same domain and hostname as its surrounding HTML file.

For Flash Player 9.0.115.0 and earlier, the default value of AllowScriptAccess the value that is assumed if AllowScriptAccess is not specified by an HTML file - was "always" for SWF files of version 7 or earlier, and "sameDomain" for SWF files of version 8 or later. For versions greater than 9.0.115.0 the default value of AllowScriptAccess is "sameDomain" regardless of SWF file version.

DIAGNOSIS

To determine if your site is affected by this change:

  1. Install a Debug version of Flash Player 9.0.115.0 or later. You can find Debug versions of Flash Player at http://www.adobe.com/support/flashplayer/downloads.html.
  2. Follow the instructions from "Configure the debugger version of Flash Player" (TechNote kb403009) to enable Flash Player logging to flashlog.txt.
  3. Visit your site and interact with it as much as possible, especially exercising any features that you think might be affected.
  4. Close your browser.
  5. Open flashlog.txt and search for the text "AllowScriptAccess".



    You should find one of the following phrases if your site is affected:



    ** Security Sandbox Violation **

    FSCommand halted (AllowScriptAccess is ''): FSCommand:(functionName)



    ** Security Sandbox Violation **

    Script URL halted (AllowScriptAccess is ''): javascript:(stringOfCode)

Solution

In the HTML page where the problem appears, specify AllowScriptAccess="always". For web sites that host a SWF without surrounding HTML, you will need to add the appropriate surrounding HTML to set Flash Player to run in a less privileged mode.

Be aware that this grants permission for the sourced SWF file, and any SWF file that it loads, to execute JavaScript code in the context of your HTML file. If you control the SWF that is sourced, it is appropriate to grant this permission, but if you do not control that SWF, or any SWF that it may load, then you may want to consider carefully whether AllowScriptAccess="always" exposes your HTML page to abuse.

Note that, if you source multiple SWF files from the same HTML page, you can make the AllowScriptAccessdecision separately for each one, since AllowScriptAccessis specified in the <object>/<embed> tags that source each SWF file.

To specify AllowScriptAccess="always" in plain HTML:

<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" ... >
		

	    ...
		

	    <param name="movie" value="http://www.anothersite.com/thing.swf">
		

	    ...
		

	    <param name="AllowScriptAccess" value="always">
		

	    ...
		

	    <embed type="application/x-shockwave-flash"
		

	    ...
		

	    href="http://www.anothersite.com/thing.swf"
		

	    ...
		

	    AllowScriptAccess="always"
		

	    ... >
		

	    </embed>
		

	    </object> 

To specify AllowScriptAccess="always" using Active Content code:

 AC_FL_RunContent( 
		

	    ...
		

	    "src", "http://www.anothersite.com/thing",
		

	    ...
		

	    "AllowScriptAccess", "always",
		

	    ...
		

	    ); 

Additional Information

The Flash Player security page at http://www.adobe.com/products/flashplayer/security/ should be your first stop for Flash Player security information. Click the "Resources for Developers" tab for a collection of links to useful documents.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy