In Adobe Flash Player 9 update 3 (v18.104.22.168), calling getURL (or its ActionScript 3.0 equivalent, navigateToURL) does not work properly when the calling Flash Player movie (SWF) file is located in a different domain than its hosting HTML page. An exception to this issue is when the target name is "_blank" or the HTML parameter AllowScriptAccess is set to "always."
With Adobe Flash Player 9 and later, getURL (or navigateToURL) calls affecting "_self," "_parent," or "_top"were considered an interaction with the hosting HTML page. With the Flash Player 9 update 3 (v22.214.171.124) and later, all calls to targets other than "_blank" are affected. This change prevents untrusted SWF files embedded in the HTML page from renavigating a browser page (or a frame within that page) without warning users that they are now visiting a third-party website. This change also enforces cross-domain scripting restrictions across all HTML frames.
To protect HTML pages from untrusted SWF files, Flash Player supports the HTML parameter AllowScriptAccess in the <object> and <embed> tags that display Flash content. AllowScriptAccess can have three values:
- "always": permits the SWF file to interact with the HTML page in all cases.
- "sameDomain": permits the SWF file to interact with the HTML page only when both of their domains match exactly. By default, the HTML publish templates in the Adobe Flash authoring application output HTML that specifies AllowScriptAccess="sameDomain" because this is frequently the desired security behavior.
- "never": completely prevents the SWF file from interacting with the HTML page.
Calling getURL (or navigateToURL ) now falls under the control of the AllowScriptAccess parameter. In other words, AllowScriptAccess must either be "always" or "sameDomain," and the domains of the HTML page and SWF file must match exactly. Otherwise, the call to getURL (or navigateToURL) will fail.
This behavior is new to Flash Player 9 (and enhanced in Flash Player 9 Update 3 v126.96.36.199)to comply with the security model, and it affects all SWF file versions. Adobe is aware that this may change the behavior of some SWF file media deployed before the release of Flash Player 9, and we apologize for any inconvenience this may cause.
If a SWF file is calling getURL (or navigateToURL) and it is failing for the reasons described above, there are several workarounds that may be applied.
Modify the HTML page.
The easiest fix is to specify AllowScriptAccess="always" in the HTML page, as in this example:
codebase=" http://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0" >
<param name="movie" value="http://otherdomain.com/exampleContent.swf">
<param name="allowScriptAccess" value="always">
Modify the SWF file.
If you do not control the content of the HTML page that hosts the SWF file, you can change your getURL or navigateToURL call to use"_blank" as the target, which will cause your getURL (or navigateToURL ) operation to open your URL in a new browser window. This will work in Flash Player 9 regardless of the value of AllowScriptAccess.