BitmapData.draw (..) fails due to Security sandbox

I am trying to take snapshot of a movieclip which has many children with loaded swf from different sub-domains. Due to security reasons, BitmapData.draw (..) fails, I am wondering, if there is any good workaround for it? I have crossdomain.xml deployed on all sub-domains with right permissions. I can even add Security.allowDomain (..) for SWFs coming from sub-domains but what to do with JPEG/GIF etc?

I would appreciate if someone from Adobe or community can suggest the right-way or a workaround?

I searched about this problem and came to know of following options:-

  • Create a server-side proxy script, host it with your Flash application in same domain. Your Flash application requests all media/assets through this proxy script. f.ex:
  • Keep BitmapData.draw (..) logic inside a separate SWF in form of methods/functions. Host this SWF with media/asset in same domain. Load this SWF in your main Flash application and generate BitmapData through SWF’s functions/methods. I am little concerned about the security, I don’t want to allow this SWF to access code in my main application. If one sided (Main app –> SWF) access can solve the problem, it would be great. I need to test it. But another concern, when you are using load-balancing and assets might be coming from different domains (servers), then problem remains same.

I found this comment on flashforever very useful.

Update (Aug 1, 2007): Chris Chen posted a nice workaround to grab video-screenshots for external (crossdomain) videos. His workaround works for AS3 and AS2. Check out it . BTW! You can see an example here, which takes screen-shot of YouTube video.

Update: It seems there is no way you can draw using BitmapData.draw (..), for media (jpeg, gif, png, flv etc) loading from different domain, in Adobe Flash Player 8 using crossdomain.xml or with a (..) call. This seems to be fixed in Adobe Flash Player 9.

  • You may need to use .loadPolicy() before you draw the bitmapdata, so Flash knows it’s allowed to access the data before it does.
    Here’s the official line:
    (personally I think this whole crossdomain/bitmapdata restriction thing is utterly retarded, but there you go!)

  • Thanks Paul, I would try it. But doesn’t Flash Player automatically checks for crossdomain.xml in default (root) location…
    I have deployed it on asset server. BTW! I am using Adobe Flash Player 8, I would try…
    Thanks again..

  • Durairaj

    I think the best method to this solution is to by pass that using the proxies and shims… I think this would be allow u to do that…. But I dont know whether i were 100 percent true about it….

  • Durairaj

    Paul normally when there is some asset loading from other domain the flash player would check for the crossdomain policy file at the default location (root). We should use that only when we are loading the file other than the root location…

  • The only problem I have with using a proxy is that it starts stacking up the requests to the server. In a small application this isn’t really an issue, but lately all of the projects I’ve been working on are large scale applications that are used by millions of people. So, avoiding unnecessary requests becomes very important.
    Luckily, we’re getting around it by moving to AS3/Flex which provides a much easier way of dealing with the problem.

  • Ritesh

    I am facing th same problem here where images are loaded from
    I have gone through the post and also attempt the proxy method given on this url
    but it has of no use as of now. Also please note that i done have crossdomain file uploaded as yet.
    Please suggest the appropriate solution so that i can close this issue.

  • Hi Abdul,

    How do I create a server-side proxy script in PHP?
    What does the PHP code need to look like?

    Many thanks,