This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Cookie Policy. X

Site locking with ActionScript

There is no sugarcoating over it, whatever is put on the Internet can be copied and redistributed without author's permission and Flash is not an exception. Luckily, as opposed to music or pictures, with a bit of ActionScript we can restrict access to our Flash file to only specific sites.
The task is simple, we will take the address our Flash application is started at and compare it to the one we want it to be:
function checkDomain(...domains):Boolean {
	if(domains == null || domains.length==0) return false;
	
	var sList:String = ".*"+domains.join("|.*");
	var sURLswf:String = stage.loaderInfo.url;
	var sRegPattern:String = "^http(|s)://("+sList+")/";
	var regPattern:RegExp = new RegExp(sRegPattern,"i");
	
	return regPattern.test(sURLswf);
}
The checkDomain function takes a list of comma-separated domains and checks them against the address from which the SWF file is being loaded - if any of the supplied domains matches the URL we get true in return. Comparison is done with regular expressions which are not part of this article, so I will just quickly explain that "sURLswf" variable is matched against the pattern in "sRegPattern" variable created from the list of supplied domains.
This actually could do, but there is still a chance our SWF will be loaded using on external Loader, which in turn means "loaderInfo.url" will still return a proper address despite the Loader being on different site. Solution? Simple, we add this line to the checkDomain function:
var sURLLoader:String = stage.loaderInfo.loaderURL;
...
return regPattern.test(sURLswf) && regPattern.test(sURLLoader);
And done, now it will be impossible to run our application from unauthorized servers.
However one thing needs to be pointed out, this function won't prevent the so called hot-linking, or in other words the loading of files from our server onto a completely unrelated website. That being said, we can't really do anything about it from the Flash side as it should be prevented from the server itself - I recommend reading about hot-linking and "htaccess" at this point.
But what if our host simply doesn't not support such countermeasures?
There is one trick that could possibly help, but unfortunately it is not always effective - quite frankly I am even not sure if it works at all, since I never had a chance to test it. Before I say anything more take a moment to check the code you use for embedding the SWF file and make sure that the allowScriptAccess line is set to "sameDomain". This simple change will allow Flash to execute a JavaScript code, which in turn will give us access to the contents of the browser's address bar. To do this we will have to call this code in ActionScript:
var  sURLTop:String;
if(ExternalInterface.available) {
	try {
		sURLTop = ExternalInterface.call("function(){return window.location.href}") as String;
	}catch(e:Error) {
		 sURLTop = "";
	}
} else {
	sURLTop = "";
}
If everything goes as planned, no outsider will be able to do anything at this point - allowing JavaScript execution will provide us with current URL that we will instantly check and block, but on the other hand restricting the code will result in an Error which we will treat as "no access" as well (since our own site does allow JavaScript). This solution would be perfect, but there is nothing stopping the users themselves from disabling the JavaScript in their browsers...