While most video players nowadays are all about the “Share” button, sometimes you want to keep a SWF as protected as possible. Obviously password protecting it is an easy method, but what if you want the world to view your SWF, but not allow just anyone to embed it?

I’ve found a fairly simple solution to this particular issue – i.e. a case where the user has their own webpage, on their own domain, their own embed code, and where the URL to the SWF is linking directly to your host or where they’ve copied your SWF to their host. This is only one of many ways in securing your publicly available SWFs.

var referrer:String = String(ExternalInterface.call("self.location.href.toString"));
if (referrer == "http://www.mydomain.com/mySWFlocation/mywebpage.html") {
     // continue loading
} else {
     // halt loading
}

This is a bit kludgy, but it works. it makes a call to javascript in the browser to see what domain the webpage is on that is embedding the SWF. If the SWF has been copied and is embedded on a different domain, it will fail. If the SWF is simply linked to from some other domain, it will still fail, because javascript is specifically checking the domain of the HTML the browser is currently at, not the URL of the SWF.

If you don’t want to specify the entire URL to the SWF, but only a domain instead, the Javascript Reference shows other useful possibilities, such as self.location.host, which will only return the domain.

My question to the world is can self.location be spoofed? I know window.location can (i.e. iframes), but I haven’t been able to figure out a way for self.location to be changed without the user being redirected.

Perhaps there’s a way to retrieve the domain of the embedding webpage in actionscript only?