Summary of Flash Security

It is very easy to run into Flash's multiple mechanisms for security, be unaware of the failure, and wonder why your program does not work. Adobe's existing documentation on security is thinly spread out and somewhat unclear on the subject.

Sandbox settings

There are two forms of sandbox setting:

  • One on the published SWF(which can be toggled in Haxe with -D options).
  • One set by the user to allow/block specific files and sites. In Flash 9, SWFs that use the network should compile with "-D network-sandbox". Flash 10 will add additional rules to publish with local file access.

(Note: Even an swf with the localWithNetwork sandbox will be denied for access of web resources via http, unless a flash.system.Security.allowDomain('*') call is issued, or the root of the accessed web server contains a file named crossdomain.xml, with the following content:

<?xml version="1.0"?>
<allow-access-from domain="*" />

However, I couldn't get it working without the crossdomain file.

For details and other options see:
Flash Player Security @ Adobe Livedocs
Overview of permission controls - website controls @ Adobe Livedocs

Note end)

Policy Files

The Flash client will silently request XML-formatted policy files any time it decides that it needs permission to open a connection with a remote server. Several kinds of policy files exist: URL policy, socket policy, and master/meta-policy files, It has multiple mechanisms of doing so:

  • HTTP request to "crossdomain.xml" on the remote server. This method is not sufficient for all situations in Flash 9, but will work with URLRequests.
  • open TCP port 843, the official policy file port, and use the server's output as a socket policy file. This is Flash's preferred method and allows the use of meta-policy files.
  • open the requested connection and wait for a socket policy file to be sent via TCP before continuing. Flash will send the string "<policy-file-request/>" when this happens, which hampers compatibility with existing socket servers.

Example: neko server serving policy files: Flash/Neko Chat Example


URLRequests are a convenient way of getting functionality identical to that of a browser/Javascript application into a Flash app: GET and POST requests, including file transfers, are supported. URLRequest security is simpler to set up than socket security and allows you to use port 80, which is ideal for compatibility with heavy-handed firewalls that lock out most ports.

Socket Limitations

Unless you are using socket meta-policy files to indicate otherwise, Flash will refuse to connect on sockets below and up to 1024.

More informations

Here you can get more informations about Flash Player Security and Application Domains

version #19502, modified 2013-06-18 02:08:24 by filt3rek