luigidenaro
asked on
Read flash variable from external domain with javascript
Dear Experts,
Anyone know if it's possible to avoid flash sandbox security to read a variable inside an swf from a javascript?
I don't need to pass the variable from flash to javascript calling some function, I need to directly read a variable inside flash using flash_object.GetVariable("
More details:
I have the following.
A Swf file called test.swf with just this two lines:
line 1: var test="12345";
line 2: stop();
then I have a test_readflashvar.js file on the same site with just the flash object code that is written through document.write
and a javascript function testing() that tries to read variable test inside swf.
I have a timer that execute it every x secs.
function write_flash_object(url) {
//code that write my flash object to document
}
function testing() {
var o = getFlashMovieObject("flash
if (o==null || o.PercentLoaded()<100) return;
alert(o.GetVariable("j"));
return;
}
Then I add the script to any of my websites (different domain where is located the swf file) <script src="http://target_domain/test_readflashvar.js"></script>
And when I load the page with the included script, and it executes and the line alert(o.GetVariable("j"));
Can anyone give a hint to overpass flash sandbox security control?
Regards,
Luigi.
Anyone know if it's possible to avoid flash sandbox security to read a variable inside an swf from a javascript?
I don't need to pass the variable from flash to javascript calling some function, I need to directly read a variable inside flash using flash_object.GetVariable("
More details:
I have the following.
A Swf file called test.swf with just this two lines:
line 1: var test="12345";
line 2: stop();
then I have a test_readflashvar.js file on the same site with just the flash object code that is written through document.write
and a javascript function testing() that tries to read variable test inside swf.
I have a timer that execute it every x secs.
function write_flash_object(url) {
//code that write my flash object to document
}
function testing() {
var o = getFlashMovieObject("flash
if (o==null || o.PercentLoaded()<100) return;
alert(o.GetVariable("j"));
return;
}
Then I add the script to any of my websites (different domain where is located the swf file) <script src="http://target_domain/test_readflashvar.js"></script>
And when I load the page with the included script, and it executes and the line alert(o.GetVariable("j"));
Can anyone give a hint to overpass flash sandbox security control?
Regards,
Luigi.
ASKER
It's a flash plugin security issue, I know, but maybe someone knows an alternative way to overpass it.
ASKER
Well, after trying and trying I found the solution.
Using this directive on main flash it avoid security restrictions for any domain.
System.security.allowDomai
If u want to allow just a domain then is so simply like replacing the * for a domain in the way http://www.domain.com
The problem on this is that the swf remains exposed for external hacking.
Using this directive on main flash it avoid security restrictions for any domain.
System.security.allowDomai
If u want to allow just a domain then is so simply like replacing the * for a domain in the way http://www.domain.com
The problem on this is that the swf remains exposed for external hacking.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
In JS you cannot access any variable/object/function if they are not on the same domain (through an iframe for example).
That's a browser security issue.
Maybe this apply too on flash objects if not on same domain than the script.