Flash AS security question

I don't know Flash AS at all, used to 开发者_开发知识库experiment when I was 15, but not anymore. Anyway, I wanted to know if there is a way to make swf files check which domain they're being loaded from and the react accordingly.

By "which domain they're being loaded from" do you mean:

1. The SWF itself?
2. The page that contains the SWF?

If #1, you can get the value easily from the root.loaderInfo.url property of any display object.

#2 is trickier. If allowscriptaccess is set to true in the embed code, you can use Javascript with an ExternalInterface call. It's on the document.location.host or document.location.hostname.

If you don't have access to Javascript (like if your SWF is in a Facebook post), you'll need to do a little setup, and the solution will be dependent on the user's browser behaving. Here's one way to do it:

Set up a server-side script that your SWF can ping. This script should look for the http "referer" header, and send that back when pinged. Then have your SWF send a URLRequest to this script. The data will be the embedding site.

In PHP, the script would just be echo $_SERVER["HTTP_REFERER"];. It's similarly simple in most other languages.

Here's another way to do it: How do I get the domain of the page that's loading my swf when I don't have script access?

If you just want to protect your SWF from being embedded in others' pages, that's easier. Just check for ExternalInterface.available. If it's false, disable the SWF. If it's true, check the domain using the above (#1) method and disable the SWF if the domain is wrong.