Cross-Domain 101

I have noticed some confusion around the different cross-domain loading mechanisms in Flash Player. Its a complex topic, so I figured I’d put together a 90 second primer on the differences.

To wit, there are essentially four types of cross-domain loading mechanisms:Cross-domain data loadingData loading means you are actually importing data from another site… in other words, your code has access to the actual bits. This includes operations such as loading XML files, accessing the bits of an image or sound file, importing code into your sandbox, connecting via a socket, etc. In this scenario any content loaded is imported into the loader’s sandbox.Cross-domain data loading is governed by cross-domain policy files, commonly known as “crossdomain.xml”. Crossdomain.xml allows a server to specify other domains from which SWFs are permitted to load cross-domain data from it.Cross-domain data loading is something that is generally not directly possible in browsers today, since they don’t provide a mechanism to express cross-domain loading permissions like crossdomain.xml. The only significant exception to this is cross-domain script importing (i.e. SCRIPT SRC=). Why is universal cross-domain script importing ok, but no other cross-domain loading data mechanism? I have no idea, someone back in the day decided that it was ok.Cross-domain content loadingThis is the concept of loading cross-domain content in a hands-off fashion. For example, you can currently load and display images & play other SWFs and sound files cross-domain. This does not require any cross-domain permissions.So how is this different from cross-domain data loading? Its a hands-off loading operation, which means the loadee content in question can be displayed to the user, but the code that loaded it has no access to its bits. So you can’t script into it or inspect its bits because it remains in its original context.This model is the same in the browser… you can load images or iframes across domains, but you cannot inspect them or script into them.Cross-domain SWF->SWF or HTML->SWF scriptingA SWF can specify other domains from which SWFs or HTML are permitted to script into it. Scripting is not governed in any way by crossdomain.xml.It requires calling an ActionScript API: SWF->HTML scriptingSWF to HTML scripting is governed by the allowScriptAccess OBJECT/EMBED parameter. It defaults to “sameDomain” which means that SWF is only allowed to script into the surrounding HTML content and browser when it comes from the same domain as the HTML hosting it.

One Response to Cross-Domain 101

  1. shaun says:

    I still don’t understand. I have tried using the following But I keep getting the flash player error saying it blocked my request from that domain.Do you have any ideas. I am tring to load a .mov file that is on the main college site into our webpage using the file import movie in flash.Thanks for your help in advance.[Lucas:] Hi Shaun, good question. First of all you don’t need to use allowDomain at all, that would be only if you want to allow HTML and SWFs from your main college site to script into your own SWF, which I don’t think is what you want to do.If you want to simply play a video file from a remote server, your best choice is to use the Video class ( You don’t need to import video if you just want to play it.If you do actually need to import the movie into your own domain, the server you are loading the video from will need to grant access to your site via a crossdomain.xml policy file.