I spent a large portion of yesterday caught up in a bug. Basically, Flash would make a call to Javascript, and a while later, get a call back. It worked something like this:

ExternalInterface.addCallback("callback", function ():void { ... });
ExternalInterface.call("doSomething");

Unfortunately it didn’t work. I thought I did everything right, I set allowScriptAccess to “always”, and since the swf and html page were hosted on different domains, I grant access to the swf via Security.allowDomain. But, whenever Javascript tried to call the “callback” function I would be stuck with this Javascript error:

Error in Actionscript. Use a try/catch block to find error.

So I tried putting it all in a try/catch of course, but that had no effect. Setting ExternalInterface.marshallExceptions to true changed the error message, but was no more helpful. I changed the function, but the error message didn’t go away. I had a hunch Flash itself was throwing the error, and I managed to figure it out.

The callback function itself was located in another swf that was loaded by the swf that set Security.allowDomain. I loaded it in the same ApplicationDomain and SecurityDomain, so for all intents and purposes I thought there were all the same blob of code. That’s not true, at least where ExternalInterface is concerned. Once I set the same Security.allowDomain for both swfs, the error stopped occurring. Flash was throwing a SecurityError the whole time, but I had no way of knowing that was the problem without guessing.

Hope that helps anyone else who encounters this problem.

3 Responses to “Flash and ExternalInterface don't follow the same security rules”

  1. Blackorzar Says:

    The problem i had with this error was also related to allowscriptaccess, I was using swfobject, and in the params i set:
    var params = {};
    params.quality = “high”;
    params.bgcolor = “${bgcolor}”;

    params.allowscriptaccess = “always”;

    The always value is in testing, on production I set the sameDomain.

    Thank you for your post!

  2. Blackorzar Says:

    Another useful thing is have the try catch on javascript and on flex (when calling the addCallback):

    In Flex:
    try { Security.allowDomain(“*”); ExternalInterface.marshallExceptions = true; ExternalInterface.call(“setFlexObjectId”, flexObjectId); ExternalInterface.addCallback(“sendFlagIsReadyToFlex”,functionInFlex);
    } catch (error:Error) { trace(“Error in ExternalInterface”);
    trace(“Error” + error.message);
    }

    In Javascript:
    if (flexObject != undefined) {
    try {
    flexObject.sendFlagIsReadyToFlex();
    } catch(err) {
    console.log(“There was an error on the flex callback.”);
    console.log(err);
    }
    }

  3. Boyet Says:

    I have a problem, maybe you can help me on this. I’m minkag an application where I have my swf and js files being referenced on my clients html, the idea is that the swf will communicate with my server and call a javascript function to write new html content in my customer’s html.When the three (HTML, swf and JS) are located in the same domain it works perfectly but when I make the test by calling my swf and js from an html page located on a different domain I get Unspecified error even when I added the System.security.allowDomain( * ); in my AS code.Can you please give me some ideas?Thanks.Allan

Leave a Reply