About Flash Player security features

By default, Flash Player 7 and later prevents a SWF file served from one domain from accessing data, objects, or variables from SWF files that are served from different domains cannot access each other's objects and variables. In addition, content that is loaded through nonsecure (non-HTTPS) protocols cannot access content loaded through a secure (HTTPS) protocol, even when both are in exactly the same domain. For example, a SWF file located at http://www.macromedia.com/main.swf cannot load data from https://www.macromedia.com/data.txt without explicit permission. Nor can a SWF file served from one domain load data (using loadVariables(), for example) from another domain.

Identical numeric IP addresses are compatible. However, a domain name is not compatible with an IP address, even if the domain name resolves to the same IP address.

The following table shows examples of compatible domains:

The following table shows examples of incompatible domains:

For information on how to permit a SWF file served from one domain to access data, objects, or variables from SWF files that are served from another domain, see About allowing data access between cross-domain SWF files. For information on how to permit a SWF file served from a secure (HTTPS) protocol to access data, objects, or variables from SWF files that are served from insecure protocols, see About allowing HTTP to HTTPS protocol access between SWF files. For information on how to permit a SWF file served from one domain to load data (using loadVariables(), for example) from another domain, see About allowing cross-domain data loading.

For information about how these security changes affect content authored in Flash MX and earlier, see About compatibility with previous Flash Player security models.