MandalaTV
Personal and Professional Blog of Rich Hauck

Flash 9 Actionscript 3.0 and Security #2137. Or Why Flash Hyperlinks Don’t Work.

by: Rich Hauck

First off, I apologize for such an SEO-friendly title to this post, but I want to make sure that no one else suffers through the searching I recently went through.

I recently worked on a site where I was using Flash 9 with AS 3.0 to build the primary menu for a Web site. The code was some simple drop back and pass (sorry, playing too much Madden these days):

private function onClick(event:Event):void {
    //_urlArray is a list of page links
    var request:URLRequest = new URLRequest(_urlArray[urlID]);
navigateToURL(request, "_self");
}

So, the site launches, and soon after, I’m getting calls from the client that the navigation links don’t do anything. It works fine in my tests, so I contact some friends to try the site. No problems. So, to see this firsthand, I go to my client’s office to test the issue, only to discover that we can’t adequately replicate the issue. I check my .htaccess, the site’s PHP framework, and conclude that it’s a DNS issue (since the site recently tranferred hosts).

The problem still occurs a day later.

So, I stop back in, and quickly discover that the Flash works fine from http://www.site.com but fails silently when the user is on http://site.com. Thanks to my trusty Flash Debugger Player, I find out it’s error 2137.

After exhaustively learning about the new Flash Player 9 security, I learn that the only thing I have to do is place the following in the <object> and <embed>:

<param name="allowScriptAccess" value="always" />
<EMBED src="file.swf" AllowScriptAccess=""></EMBED>

Alternatively, if you use SWFObject like me, you would use the following:
so.addParam("AllowScriptAccess", "always");

So what was the problem? Well Adobe integrated a new feature into ActionScript 3.0 security where setting the window type of “_self” in navigateToURL() is only allowed from the same domain. In my case, www.site.com and site.com aren’t the same domain (btw, IP != domain, either). In order for a Website to declare trust to an SWF, it has to provide it in in the HTML.

Anyhow, I hope this saves someone the time I took scrambling through Adobe Flash security docs. 🙂


3 thoughts on “Flash 9 Actionscript 3.0 and Security #2137. Or Why Flash Hyperlinks Don’t Work.

  1. Ali Drongo says:

    Thanks for that Rich, worked great with SWFObject 🙂

  2. Thanks! Saved me some, what would have otherwise been, wasted time.

  3. Neil says:

    Thanks Rich…this really saved me and my boss a lot of headaches.

Leave a Reply

Your email address will not be published. Required fields are marked *

About Rich Hauck

Rich Hauck

I'm a creative technologist at Hauck Interactive, Inc. and an adjunct instructor at HACC. I live in Harrisburg, Pa. with my wife and three boys. I enjoy good coffee, Trappist beers, Orioles baseball, and good design.


Archives