Flash Player 9 April 2008 Security Update affects me too

April 11th, 2008 § 2 comments

So here I was, thinking that the Flash Player 9 security update (version 9.0.124) wasn’t going to affect me. A silly assumption, of course—I should have tested with the beta, regardless—but since I didn’t do anything fancy with sockets or web services, I thought I would be fine.


I missed this section: “You have SWFs that are exported for Flash Player 7 (SWF7) or earlier that communicate with the hosting HTML by any means”.

And when they say “any means,” that includes LoadVars.send(), which I am using, in a SWF that is hosted on a different subdomain than the page which contains it (petswf.bunnyherolabs.com vs bunnyherolabs.com).

Luckily, the fix was simple: I just had to add the parameter allowScriptAccess = "always" to the embed tag. Phew!

Next time I see one of these announcements, I promise I will test it, even if I don’t think it applies to me ;)

§ 2 Responses to Flash Player 9 April 2008 Security Update affects me too"

  • Jason Lowe says:

    I tried your suggestion but couldn’t get it working. In my SWF I’m calling loadvars but sending the request to another IP address (ie, not were the original SWF came from)

    What was your situation exactly?


  • bunnyhero says:

    Hey Jason,

    My SWF is a simple form, hosted on petswf.bunnyherolabs.com. When the user clicks on the submit button, the SWF does a LoadVars.send() to a URL on bunnyherolabs.com (different domain).

    During troubleshooting, I also added crossdomain.xml files to both petswf… and bunnyherolabs.com. I didn’t remove them after I got it working, so I don’t know if it was necessary or not. Perhaps it is? Try adding a crossdomain.xml to the destination of the LoadVars.

    And I just now found this article, which I wish I had read when I first encountered the problem! It shows you how to turn on “policy file logging” in the debug version of the Flash Player.

What's this?

You are currently reading Flash Player 9 April 2008 Security Update affects me too at bunnyhero dev.