Much of Flash Player security is based on the domain of origin for loaded SWF files, media, and other assets. A SWF file from a specific Internet domain, such as www.example.com, can always access all data from that domain. These assets are put in the same security grouping, known as a security sandbox. (For more information, see Security sandboxes.)

For example, a SWF file can load SWF files, bitmaps, audio, text files, and any other asset from its own domain. Also, cross-scripting between two SWF files from the same domain is always permitted, as long as both files are written using ActionScript 3.0. Cross-scripting is the ability of one SWF file to use ActionScript to access the properties, methods, and objects in another SWF file. Cross-scripting is not supported between SWF files written using ActionScript 3.0 and those using previous versions of ActionScript; however, these files can communicate by using the LocalConnection class. For more information, see Cross-scripting.

The following basic security rules always apply by default:

• Resources in the same security sandbox can always access each other.
• SWF files in a remote sandbox can never access local files and data.

Flash Player considers the following to be individual domains, and sets up individual security sandboxes for each:

• http://example.com
• http://www.example.com
• http://store.example.com
• https://www.example.com
• http://192.0.34.166

Even if a named domain, such as http://example.com, maps to a specific IP address, such as http://192.0.34.166, Flash Player sets up separate security sandboxes for both.

There are two basic methods that a developer can use to grant a SWF file access to assets from sandboxes other than that of the SWF file:

• The Security.allowDomain() method (see Author (developer) controls)
• The cross-domain policy file (see Website controls (cross-domain policy files))

The ability of a SWF file to cross-script ActionScript 3.0 SWF files from other domains and to load data from other domains is prohibited by default. It can be granted with a call to the Security.allowDomain() method in the loaded SWF file. For details, see Cross-scripting.

In the Flash Player security model, there is a distinction between loading content and accessing or loading data:

• Loading content--Content is defined as media, including visual media Flash Player can display, audio, video, or a SWF file that includes displayed media. Data is defined as something that is accessible only to ActionScript code. You can load content using classes such as the Loader, Sound, and NetStream classes.
• Accessing content as data or loading data--You can access data in two ways: by extracting data from loaded media content or by directly loading data from an external file (such as an XML file). You can extract data from loaded media by using Bitmap objects, the BitmapData.draw() method, the Sound.id3 property, or the SoundMixer.computeSpectrum() method. You can load data using classes such as the URLStream, URLLoader, Socket, and XMLSocket classes.

The Flash Player security model defines different rules for loading content and accessing data. In general, there are fewer restrictions on loading content than on accessing data.

In general, content (SWF files, bitmaps, mp3 files, and videos) can be loaded from anywhere, but if the content is from a domain other than that of the loading SWF file, it will be partitioned in a separate security sandbox.

There are a few barriers to loading content:

• By default, local SWF files (those loaded from a non-network address, such as a user's hard drive) are classified in the local-with-filesystem sandbox. These files cannot load content from the network. For more information, see Local sandboxes.
• Real-Time Messaging Protocol (RTMP) servers can limit access to content. For more information, see Content delivered using RTMP servers.

If the loaded media is an image, audio, or video, its data, such as pixel data and sound data, cannot be accessed by a SWF file outside its security sandbox, unless the domain of that SWF file has been included in a cross-domain policy file at the origin domain of the media. For details, see Accessing loaded media as data.

Other forms of loaded data include text or XML files, which are loaded with a URLLoader object. Again in this case, to access any data from another security sandbox, permission must be granted by means of a cross-domain policy file at the origin domain. For details, see Using URLLoader and URLStream.