How do I open 'cross-domain security', so the JavaScript on the page can freely communicate with the SWF, even when this is hosted on another domain?
如何打开“跨域安全性”,以便页面上的JavaScript可以*地与SWF通信,即使它在另一个域上托管?
I know for certain that this function communication is blocked by default, but by playing around with a file called "crossdomain.xml" and the actionscript 3 function: system.Security.allowDomain("*"). I'm not having full success though, and I don't have the insight to know which one is opening up for what.
我确实知道默认情况下会阻止此函数通信,但是通过使用名为“crossdomain.xml”的文件和actionscript 3函数:system.Security.allowDomain(“*”)。虽然我没有取得足够的成功,但我没有洞察力知道哪一个是开放的。
Is there other hidden security layers, that I need to think of in this scenario?
是否有其他隐藏的安全层,我需要在这种情况下考虑?
And am I opening up my code for potential hackers somehow by doing this setup?
我是否通过这种设置以某种方式为潜在的黑客打开我的代码?
(and in case you're wondering: Yes, I have to make this work in a scenario, where the html is hosted on one domain, the JavaScript is added externally from another domain and the SWF is embedded by the JavaScript from a third domain - don't ask why, it's too complicated to explain - I too wish I could just host the whole thing in one domain).
(如果你想知道:是的,我必须在一个场景中完成这项工作,其中html托管在一个域上,JavaScript从另一个域外部添加,而SWF由来自第三个域的JavaScript嵌入 - 不要问为什么,解释起来太复杂了 - 我也希望我能在一个域中托管整个事情。
2 个解决方案
#1
Using Security.allowDomain("www.example.com")
in the SWF will allow JS in a page from www.example.com to call functions exposed in the SWF with ExternalInterface.addCallback()
. The domain and subdomain must match exactly. Using "*"
will allow any domain to communicate with the SWF, but if you have one specific domain, it's better to use that.
在SWF中使用Security.allowDomain(“www.example.com”)将允许来自www.example.com的页面中的JS使用ExternalInterface.addCallback()调用SWF中公开的函数。域和子域必须完全匹配。使用“*”将允许任何域与SWF通信,但如果您有一个特定域,则最好使用它。
Setting allowScriptAccess
to always
in the HTML embed code will allow the SWF to to call JavaScript functions.
将allowScriptAccess设置为始终在HTML嵌入代码中将允许SWF调用JavaScript函数。
One thing that catches many developers is that JavaScript will not be able to call functions on the SWF until the SWF is done loading. Unfortunately, there is no JS-based event that tells you when the SWF is ready (at least that I've found). What I usually do to work around this problem is call a JS function from the SWF immediately when the SWF finishes loading to notify the page that the SWF is ready.
捕获许多开发人员的一件事是,在SWF完成加载之前,JavaScript将无法调用SWF上的函数。不幸的是,没有基于JS的事件可以告诉你什么时候SWF准备好了(至少我发现了)。我通常做的解决这个问题的方法是在SWF完成加载时立即从SWF调用JS函数,以通知页面SWF已准备就绪。
There's some abstraction here and there, but if you take a look at the source code for YUI Charts, you might be able to figure out how Yahoo! got crossdomain JS/SWF communication working.
这里和那里有一些抽象,但如果你看一下YUI Charts的源代码,你或许可以弄明白Yahoo!得到跨域JS / SWF通信工作。
#2
One thing I'd add to the previous answer: If you try the above code and it doesn't work, check to see if your site's address includes the "www" or not. Mine did not and didn't work if I wrote it as
我在上一个答案中添加了一件事:如果你尝试上面的代码并且它不起作用,请检查你的网站的地址是否包含“www”。如果我把它写成,那么我没有也没有工作
Security.allowDomain("www.jeremy-knight.com");
I needed to write it as:
我需要把它写成:
Security.allowDomain("jeremy-knight.com");
#1
Using Security.allowDomain("www.example.com")
in the SWF will allow JS in a page from www.example.com to call functions exposed in the SWF with ExternalInterface.addCallback()
. The domain and subdomain must match exactly. Using "*"
will allow any domain to communicate with the SWF, but if you have one specific domain, it's better to use that.
在SWF中使用Security.allowDomain(“www.example.com”)将允许来自www.example.com的页面中的JS使用ExternalInterface.addCallback()调用SWF中公开的函数。域和子域必须完全匹配。使用“*”将允许任何域与SWF通信,但如果您有一个特定域,则最好使用它。
Setting allowScriptAccess
to always
in the HTML embed code will allow the SWF to to call JavaScript functions.
将allowScriptAccess设置为始终在HTML嵌入代码中将允许SWF调用JavaScript函数。
One thing that catches many developers is that JavaScript will not be able to call functions on the SWF until the SWF is done loading. Unfortunately, there is no JS-based event that tells you when the SWF is ready (at least that I've found). What I usually do to work around this problem is call a JS function from the SWF immediately when the SWF finishes loading to notify the page that the SWF is ready.
捕获许多开发人员的一件事是,在SWF完成加载之前,JavaScript将无法调用SWF上的函数。不幸的是,没有基于JS的事件可以告诉你什么时候SWF准备好了(至少我发现了)。我通常做的解决这个问题的方法是在SWF完成加载时立即从SWF调用JS函数,以通知页面SWF已准备就绪。
There's some abstraction here and there, but if you take a look at the source code for YUI Charts, you might be able to figure out how Yahoo! got crossdomain JS/SWF communication working.
这里和那里有一些抽象,但如果你看一下YUI Charts的源代码,你或许可以弄明白Yahoo!得到跨域JS / SWF通信工作。
#2
One thing I'd add to the previous answer: If you try the above code and it doesn't work, check to see if your site's address includes the "www" or not. Mine did not and didn't work if I wrote it as
我在上一个答案中添加了一件事:如果你尝试上面的代码并且它不起作用,请检查你的网站的地址是否包含“www”。如果我把它写成,那么我没有也没有工作
Security.allowDomain("www.jeremy-knight.com");
I needed to write it as:
我需要把它写成:
Security.allowDomain("jeremy-knight.com");