Issue

In Adobe Flash Player 9 update 3 (v9.0.115.0), calling getURL (or its ActionScript 3.0 equivalent, navigateToURL) does not work properly when the calling Flash Player movie (SWF) file is located in a different domain than its hosting HTML page. An exception to this issue is when the target name is "_blank" or the HTML parameter AllowScriptAccess is set to "always."

This issue may prevent some SWF files from changing a user's web browser location. Itmay also interfere withattempts by the SWF file to execute JavaScript style URLs within the context of the hosting page or other frames within that page.



Reason

In some situations, authors of HTML pages may decide to embed SWF files that they do not trust in their HTML pages. For example, an HTML author may not want a SWF file that is under another party's control to manipulate their HTML page, execute arbitrary JavaScript within it, or extract data from it. This issue may occur when an HTML page includes Flash content from an advertiser, or when an HTML discussion forum permits users to embed Flash artwork in their posts.

With Adobe Flash Player 9 and later, getURL (or navigateToURL) calls affecting "_self," "_parent," or "_top"were considered an interaction with the hosting HTML page. With the Flash Player 9 update 3 (v9.0.115.0) and later, all calls to targets other than "_blank" are affected. This change prevents untrusted SWF files embedded in the HTML page from renavigating a browser page (or a frame within that page) without warning users that they are now visiting a third-party website. This change also enforces cross-domain scripting restrictions across all HTML frames.

To protect HTML pages from untrusted SWF files, Flash Player supports the HTML parameter AllowScriptAccess in the <object> and <embed> tags that display Flash content. AllowScriptAccess can have three values:

  • "always": permits the SWF file to interact with the HTML page in all cases.
  • "sameDomain": permits the SWF file to interact with the HTML page only when both of their domains match exactly. By default, the HTML publish templates in the Adobe Flash authoring application output HTML that specifies AllowScriptAccess="sameDomain" because this is frequently the desired security behavior.
  • "never": completely prevents the SWF file from interacting with the HTML page.

Calling getURL (or navigateToURL ) now falls under the control of the AllowScriptAccess parameter. In other words, AllowScriptAccess must either be "always" or "sameDomain," and the domains of the HTML page and SWF file must match exactly. Otherwise, the call to getURL (or navigateToURL) will fail.

This behavior is new to Flash Player 9 (and enhanced in Flash Player 9 Update 3 v9.0.115.0)to comply with the security model, and it affects all SWF file versions. Adobe is aware that this may change the behavior of some SWF file media deployed before the release of Flash Player 9, and we apologize for any inconvenience this may cause.



Solution

If a SWF file is calling getURL (or navigateToURL) and it is failing for the reasons described above, there are several workarounds that may be applied.

Modify the HTML page.

The easiest fix is to specify AllowScriptAccess="always" in the HTML page, as in this example:

<object

classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"

codebase=" http://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0" >

<param name="movie" value="http://otherdomain.com/exampleContent.swf">

<param name="allowScriptAccess" value="always">

<embed type="application/x-shockwave-flash"

pluginspage="http://www.adobe.com/go/getflashplayer"

href="http://otherdomain.com/exampleContent.swf"

allowScriptAccess="always"></embed>

</object>

Only specify AllowScriptAccess="always" if you trust the SWF file that you are embedding, for example, if you are the author of the SWF file or if you believe that the author of the SWF file is trustworthy. Be aware that specifying AllowScriptAccess="always" has other effects beyond permitting getURL and navigateToURLto renavigate a window or frame. It also permits the SWF file to execute JavaScript code in the context of your HTML page or frame.

Modify the SWF file.

If you do not control the content of the HTML page that hosts the SWF file, you can change your getURL or navigateToURL call to use"_blank" as the target, which will cause your getURL (or navigateToURL ) operation to open your URL in a new browser window. This will work in Flash Player 9 regardless of the value of AllowScriptAccess.



This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy