Issue

Note: As of the October 15, 2008 release of Adobe Flash Player 10, Adobe recommends that developers use SWFObject2 for Flash Player detection. For more information see the SWFObject page at Google code (http://code.google.com/p/swfobject/) or "Detecting Flash Player versions and embedding SWF files with SWFObject 2" on the Adobe Developer Connection website. The following information is provided for the Flash Player Detection Kit, which should continue to work successfully.

Links from a SWF file in playerProductInstall.html page no longer function in Adobe Flash Player 9 update 3 (v9.0.115.0).

Calling getURL (or its ActionScript 3.0 equivalent, navigateToURL) does not work properly when the calling Flash Player movie (SWF) file is located in a different domain than its hosting HTML page. An exception to this issue is when the HTML parameter AllowScriptAccess is set to "always."

This issue may interfere with attempts by the SWF file to execute JavaScript style URLs within the context of the hosting page or other frames within that page.

Reason

To protect HTML pages from untrusted SWF files, Flash Player supports the HTML parameter AllowScriptAccess in the <object> and <embed> tags that display Flash content. AllowScriptAccess can have three values:

  • "always": permits the SWF file to interact with the HTML page in all cases.
  • "sameDomain": permits the SWF file to interact with the HTML page only when both of their domains match exactly. By default, the HTML publish templates in the Adobe Flash authoring application output HTML that specifies AllowScriptAccess="sameDomain" because this is frequently the desired security behavior.
  • "never": completely prevents the SWF file from interacting with the HTML page.

Calling getURL (or navigateToURL ) now falls under the control of the AllowScriptAccess parameter. In other words, AllowScriptAccess must either be "always" or "sameDomain," and the domains of the HTML page and SWF file must match exactly. Otherwise, the call to getURL (or navigateToURL) will fail.

This behavior is new to Flash Player 9 (and enhanced in Flash Player 9 Update 3 v9.0.115.0) to comply with the security model and affects all SWF file versions.

Solution

Modify the playerProductInstall.html page.

The playerProductInstall.html page contains the JavaScript logic for completing the Express Install process.

There are two instances of "allowScriptAccess","sameDomain," on the playerProductInstall.html page to update to "allowScriptAccess","always," as in the following example:

 AC_FL_RunContent(
		

	    "src", "playerProductInstall",
		

	    "FlashVars", "MMredirectURL="+MMredirectURL+'&MMplayerType='
		

	    +MMPlayerType+'&MMdoctitle='+MMdoctitle+"",
		

	    "width", "550",
		

	    "height", "300",
		

	    "align", "middle",
		

	    "id", "detectionExample",
		

	    "quality", "high",
		

	    "bgcolor", "#3A6EA5",
		

	    "name", "detectionExample", 
		

	       "allowScriptAccess","always",
		

	    "type", "application/x-shockwave-flash",
		

	    "pluginspage", "http://www.adobe.com/go/getflashplayer" ); 

The first instance of "allowScriptAccess","sameDomain," is on line 53 and the second instance is on line 69 of the playerProductInstall.html page.

Additional Information

The Flash Player Detection Kit can be downloaded at www.adobe.com/products/flashplayer/download/detection_kit/

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy