tags:

views:

2818

answers:

1
Q: 

How to make cross-domain communication between JavaScript and Flash?

How do I open 'cross-domain security', so the JavaScript on the page can freely communicate with the SWF, even when this is hosted on another domain?

I know for certain that this function communication is blocked by default, but by playing around with a file called "crossdomain.xml" and the actionscript 3 function: system.Security.allowDomain("*"). I'm not having full success though, and I don't have the insight to know which one is opening up for what.

Is there other hidden security layers, that I need to think of in this scenario?

And am I opening up my code for potential hackers somehow by doing this setup?

(and in case you're wondering: Yes, I have to make this work in a scenario, where the html is hosted on one domain, the JavaScript is added externally from another domain and the SWF is embedded by the JavaScript from a third domain - don't ask why, it's too complicated to explain - I too wish I could just host the whole thing in one domain).

+3  A: 

Using Security.allowDomain("www.example.com") in the SWF will allow JS in a page from www.example.com to call functions exposed in the SWF with ExternalInterface.addCallback(). The domain and subdomain must match exactly. Using "*" will allow any domain to communicate with the SWF, but if you have one specific domain, it's better to use that.

Setting allowScriptAccess to always in the HTML embed code will allow the SWF to to call JavaScript functions.

One thing that catches many developers is that JavaScript will not be able to call functions on the SWF until the SWF is done loading. Unfortunately, there is no JS-based event that tells you when the SWF is ready (at least that I've found). What I usually do to work around this problem is call a JS function from the SWF immediately when the SWF finishes loading to notify the page that the SWF is ready.

There's some abstraction here and there, but if you take a look at the source code for YUI Charts, you might be able to figure out how Yahoo! got crossdomain JS/SWF communication working.

joshtynjala  2009-01-16 23:53:39

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security