The updated Security Whitepaper for Flash Player 9 is now available on the Flash Player Developer Center. This whitepaper focuses on the security-related features of Flash Player, and describes both features introduced in previous players and new enhancements in Flash Player 9. With Flash Player 9, we introduced a few new security features but the basic security model is unchanged. Many of these are a result of the new ActionScript 3.0 language and AVM2.
New in Flash Player 9 (excerpt from page 12)
* The ActionScript 3.0 display list: This new architecture for working with onscreen objects provides more efficient code for checking the security restrictions for content loaded from different domains.
* Greater restriction of cross-domain visual and sound elements: New restrictions prevent (by default) SWF files from different domains inappropriately overlaying visual content in an application or from inappropriately stopping audio.
* Import loading of SWF files: When loading another SWF file, a loading SWF file can request that Flash Player check for a cross-domain policy file on the loaded file’s server, and if granted permission, the loading SWF file can access the loaded content with the same access as if it were loaded from the domain of the loading file.
* Access to sound data: ActionScript 3.0 provides greater access to the data in loaded sound (MP3) files, such as sound spectrum data. Cross-domain access to this data is controlled via cross-domain policy files.
* Better default location for cross-domain policy files: In ActionScript 3.0, the default source for a cross-domain policy file pertaining to socket connections is the same port as the socket (rather than an HTTP server).
* Restricted access to media data originating from RTMP servers: Flash Player 9 cannot access video data or sound spectrum data for media loaded from RTMP (Flash Media Server) sources, although it can display and play video and sounds loaded from these servers.
* Improved scope of permission mechanisms: Flash Player 9 provides more specific control when using the Security.allowDomain() and Security.exactSettings APIs than was available in previous versions. In Flash Player 9, using these APIs applies only to the SWF file that calls them, not to other SWF files from the same domain.
* The allowNetworking flag: A new HTML setting provides greater control of networking capabilities of SWF files.