Cross-Domain 101

I have noticed some confusion around the different cross-domain loading mechanisms in Flash Player. Its a complex topic, so I figured I’d put together a 90 second primer on the differences.


To wit, there are essentially four types of cross-domain loading mechanisms:Cross-domain data loadingData loading means you are actually importing data from another site… in other words, your code has access to the actual bits. This includes operations such as loading XML files, accessing the bits of an image or sound file, importing code into your sandbox, connecting via a socket, etc. In this scenario any content loaded is imported into the loader’s sandbox.Cross-domain data loading is governed by cross-domain policy files, commonly known as “crossdomain.xml”. Crossdomain.xml allows a server to specify other domains from which SWFs are permitted to load cross-domain data from it.Cross-domain data loading is something that is generally not directly possible in browsers today, since they don’t provide a mechanism to express cross-domain loading permissions like crossdomain.xml. The only significant exception to this is cross-domain script importing (i.e. SCRIPT SRC=). Why is universal cross-domain script importing ok, but no other cross-domain loading data mechanism? I have no idea, someone back in the day decided that it was ok.Cross-domain content loadingThis is the concept of loading cross-domain content in a hands-off fashion. For example, you can currently load and display images & play other SWFs and sound files cross-domain. This does not require any cross-domain permissions.So how is this different from cross-domain data loading? Its a hands-off loading operation, which means the loadee content in question can be displayed to the user, but the code that loaded it has no access to its bits. So you can’t script into it or inspect its bits because it remains in its original context.This model is the same in the browser… you can load images or iframes across domains, but you cannot inspect them or script into them.Cross-domain SWF->SWF or HTML->SWF scriptingA SWF can specify other domains from which SWFs or HTML are permitted to script into it. Scripting is not governed in any way by crossdomain.xml.It requires calling an ActionScript API: System.security.allowDomain()Cross-domain SWF->HTML scriptingSWF to HTML scripting is governed by the allowScriptAccess OBJECT/EMBED parameter. It defaults to “sameDomain” which means that SWF is only allowed to script into the surrounding HTML content and browser when it comes from the same domain as the HTML hosting it.