How to restrict SWF content from HTML

When you host SWF content inside HTML, you have a few tools at your disposal to control how much privilege that SWF has. If you are hosting SWFs that you created or trust completely, these may be unnecessary, however you may find them useful otherwise.

When specifying container tags (i.e. OBJECT or EMBED), you can optionally provide one of the following two parameters: “allowScriptAccess” and “allowNetworking”. These tags can only be specified within HTML (not from a SWF itself), and apply to that root SWF and any other SWFs the root SWF may load.


“allowScriptAccess” controls the ability of the SWF to call into the browser’s JavaScript DOM. This means the SWF could inject script into the website that is hosting it, which can be either dangerous, or at least not desirable (as the SWF could open new windows, inject JavaScript into the surrounding HTML, redirect the current window, read cookies, etc.)”allowNetworking” affects the ability of a SWF to perform network I/O, either via the browser (opening new windows, etc.) or directly using Flash networking APIs. This implicitly may also restrict scripting access to the browser, as you cannot prevent network I/O without prohibiting access to the browser’s JavaScript DOM.In order of least to most restrictive, you can specify:”allowScriptAccess=always”: This permits the SWF to call arbitrary browser JavaScript at all times, even if the SWF came from another domain. This is generally not safe to do unless you completely trust the SWF you are loading (and any children SWFs it may subsequently load).”allowNetworking=all”: All normal network I/O is allowed (as permitted by the Flash Player security model).”allowScriptAccess=sameDomain”: This permits the SWF to call into the browser’s JavaScript DOM only if the SWF came from the same domain as the HTML hosting it. This is equivalent to the typical browser “same origin policy” model.”allowScriptAccess=never”: The SWF is never permitted to call into the browser’s JavaScript, even if it came from the same domain as its HTML container. You can use this tag if you host SWFs in the same domain as the HTML, but don’t trust the SWFs to interact with the surrounding HTML, cookies, etc. In particular this setting will also prevent the SWF from modifying or redirecting existing frames windows. However, if you really don’t trust the SWF you may need some stronger medicine.”allowNetworking=internal”: Everything with “allowScriptAccess=never” applies, and also prevents the SWF from opening new browser windows, modifying existing ones, or otherwise affecting any browser state. The SWF can still use internal networking ActionScript APIs like loadMovie(), XML.load(), LoadVars, etc.Finally, “allowNetworking=none” prohibits any browser or network interaction. This means that the SWF cannot do much more than interact with the assets it contains internally, and cannot do anything to influence the browser, or load or send any data over the network.In addition, Flash Player integrates with the browser’s pop-up blocking technologies to ensure that windows that could not be opened directly via HTML/JavaScript will be blocked in Flash as well.The safest strategy is to always explicitly set the parameter value you want, so you don’t have to worry about what the behavior will be on a given situation.For additional details on the allowScriptAccess tag, see http://livedocs.adobe.com/flash/9.0/main/wwhelp/wwhimpl/common/html/wwhelp.htm?context=LiveDocs_Parts&file=00000360.htmlFor additional details on the allowNetworking tag, see http://livedocs.adobe.com/flash/9.0/main/wwhelp/wwhimpl/common/html/wwhelp.htm?context=LiveDocs_Parts&file=00000360.html