Enabling BitmapData.draw (..) on crossdomain images in Adobe Flash Player 9

Adobe Flash Player 8 and 9 have security-sandbox where-in you can not use BitmapData’s draw (..) on crossdomain images, as I mentioned in one of my posts. There is no easy way of doing it with Flash Player 8, you need some kind of shim/library.swf or server-side proxy.

Fortunately, Adobe Flash Player 9 has some APIs (Loader, LoaderContext) to make life easier, provided you have a crossdomain.xml with right permission on the server hosting images.

Say “ServerA” has main application and “ServerB” hosts image files. You need to place crossdomain.xml in root of “ServerB”. Just having crossdomain.xml is not sufficient, so you need to do something more:-

  1. Create a LoaderContext instance
  2. Set it’s checkPolicyFile = true;
  3. Pass LoaderContext instance to Loader.load (..) method, as shown below.

Note: Following code shows the steps, it’s not a working example.

var request:URLRequest = new URLRequest ();
request.url = "http://ServerB/images/foo.jpg";

//This is important step..
var loaderContext:LoaderContext = new LoaderContext ();
loaderContext.checkPolicyFile = true;

var loader:Loader = new Loader ();
loader.load (request, loaderContext);

//now you can draw.
var bitmapData:BitampData = new BitmapData (200, 200);
bitmapData.draw (loader);

Why we need to this? Doing so would instruct Flash Player not to begin downloading the image file until after attempting to download a policy file. If Flash Player successfully finds policy file with right permission, you are set to do Bitmap drawing.

Believe me, that’s all you need as long as you meet two criteria (crossdomain.xml and checkPolicyFile=true). I would try to post a working example.

  • BDavid

    Thx a lot for this post, i spent a lot of time to fix this problem and i had no idea about the reason till i red it…

  • richardt

    this can also be achieved in actionscript 2.0 by using

  • Avijit

    Please provide a example of cross domain solve. i am really confused with this problem which belongs to my current project. i can not understand. Please help me.

  • @richardt: No, this doesn’t work in AS2.0.
    @Avijit: What problem are you facing? There are some cross-domain problems that can be solved using crossdomain.xml or a server-side proxy… In this post we talked about a problem where Flash Player API doesn’t let you grab bitmap-data of video/image coming from other domain, even when there is crossdomain.xml (AS3 allows you to load the policy before code-invocation but AS2 doesn’t).
    However, there is a workaround to grab the bitmap-data (screenshot) of a video from external (YouTube or others) sites without using any crossdomain.xml or server-side script…
    Check out the last update (section) in this post:-

  • What if
    loaderContext.checkPolicyFile = true;
    doesnt work ?

  • @Elad: I think, it works in Adobe Flash Player 9, but not in Flash Player 8 or lower.

  • System.security.loadPolicyFile() DOES work in Actionscript 2.0
    Tested it myself…

  • Augustus

    Just wanted to confirm, for anybody else, that it DOES WORK in AS 2.0. You just have to force it to load the policy file:

    System.security.loadPolicyFile(“http://” + myDomain + “/crossdomain.xml”);

    I put that as soon as I know the domain I’m loading from, and everything works.

    • Yes, I can confirm the above script by Augustus does work for AS 2.0!!!

  • Designer Boy

    Just thought I’d add my bit, yep it does work in AS2 using the loadPolicyFile method.
    It’s helped loads! thanks guys,

  • Pollo

    Hey, so when you write that this code is for flash player 9 and not 8, what you actually mean is that it’s for AS3 and not AS2? Cuz flash 9 playes AS2 just the same!

  • Hi, thanks for this post, it’s very helpful. My problem is that I cannot upload a crossdomain.xml file as it is not my domain ( Amazon S3 ). Is there another way around this problem? I don’t really understand why the data is protected in the first place.

  • @Eric, even if it’s S3, you can have crossdomain.xml there.
    Anyway, you can use proxy, which is hosted on your server, to load image.
    You can check out this:-
    This might be useful, you need to host it on your server and use it like this:-

    • Pedro

      solutions provided worked as expected,
      used a loadPolicyFile in AS2 to load the crossdomain, and a proxy method to make it work with bitMapaData when it comes to handle external images.

      Thanks for all the invaluable input Abdul and rest of contributers

    • I am glad you found it useful. Thanks to everyone who commented here to make this post super useful.

  • Anders

    Thank You Abdul 🙂

  • Abdul, you just saved my life 🙂

  • radu

    it doesn’t work for me…i’ve did everything as it should but still get the security sandbox violation error. Too bad…i’ll have to use a proxy…and that’s not cool.

  • Kartik

    Any body have working example of bitmapdata draw method for cross domain swf
    Thanks in advance

  • Orc

    Uhh flash is really making troubles to me with this new security settings and seems to be breaking tons of wordpress installs, etc =\ any solution if you dont have the crossdomain.xml on the other server? =\

  • Thanks Abdul! 🙂

  • Giuseppe

    Very interesting post!
    I’d like to use it in conjunction with youtube AS3 API
    but I don’t know what to put in request.url = “”;
    I tried
    request.url = “http://www.youtube.com/apiplayer?version=3”;
    but it doesn’t work 🙁

  • Hi, I found another solution for this issue. The idea is to clone the loaded bytes in a bytearray, and read this bytearray with another loader, Loader.readBytes().
    than you can create A bitmapData object and draw the data from this second loader…
    I posted a better explanation on my blog:

  • I know it’s a long time since you posted this, but even in Flash Player 10.1 it still doesn’t automatically check for an crossdomain.xml! i really don’t know why it still doesn’t. I don’t see a reason for this behavior! But the LoaderContext got it working! 
    Just wanted to appreciate your post!

    • Thanks for update on FP 10.1’s behaviour. I have not checked how it works now, I would probably update my posts with current state of runtimes.