How to sitelock a Flash movie

Sometimes you need to make your Flash movie (or game) to work only on selected domains. Sometimes you may want to blacklist some domains so they can’t display your Flash content.

This is called sitelocking, and means you lock a movie to a specific site.

Let’s see how can you sitelock a Flash file.

The first thing we need to know is where the movie is been played.

With the _url property we can determine the absolute path of a movie clip.

I will create a movie with a text field instanced as domain with this actionscript:

domain.text = _url;

This is the result:

Next we have to determine the domain name, so we need some string functions. First we need to strip all characters before :// (:// included).

Using the split method, I’ll split a the domain name into substrings by breaking it wherever :// is found, in this way:

domain_parts = _url.split("://");
domain.text = domain_parts[1];

Splitting the domain name by :// will create an array with its first element (at index 0) containing http (or https, or whatever I’ll find before the ://), and the second element with the remaining part of the domain. Look:

We are few steps away from having only the domain name.

In the same way as before, now I have to split the string when I find a /

Here it is:

Now, we are ready to sitelock the game. Just remember that some portals do not use their domain to host Flash games. For example, NewGrounds uses while Kongregate uses

Anyway, the customer who will request to sitelock your Flash movie will tell you which domain you have to lock the game on.

Now, let’s think about what to do when the movie is played in a site you don’t want to be played. The easiest thing is making the root transparent so it will impossible for the surfer to use it.

This function will display the game only if played on my domain.

Now, the last interesting thing… how to sitelock to more than one site.

This one only allows movie to be played on this domain and on

Hope you will find it useful

  • First comment

    YAY! first comment. anyway, sounds nice. Good Job!

  • thanks man, I was thinking about using something like this but in a different way, ie if my swf is not on kongregate, then show the mochiads leaderboard, otherwise use the kong API… :)
    this will help me to work out the script I need


  • Wonderful!
    I’ve been looking for a better way to do this!
    Works beautifully, thanks much!

  • Rick

    Thanks Emanuele!

  • JDog

    Thanks Emanuele, very helpful, I can finally sendmy game prototypes to without fear !

    Now all I require is a reply to my email or else I can’t get my game going properly. I’ll definately buy you a beer or two once the sponsorship pays through !

  • Emanuele Feronato

    Sitelocking is useless if you don’t encrypt your game anyway

  • :o
    dude, on the second to last actionscript box you put:

    _root._alpha == 0;

    instead of:

    _root._alpha = 0;

    great tut though, shall use on new game coming out

  • Emanuele Feronato

    fixed. thank you.

  • Great! This goes to the SticKman’s magazine :D

  • Grifo

    First time I get to understand the split command.
    Great tutorial as always.

  • Matt

    Bad news, the _url property holds the url where the swf is hosted, not where it is embedded. You’re going to need a more complex solution in order to prevent people from hotlinking off your site. Of course this can be done on your actual server, but some sites that you do want your game on might not have such a fix. I’m not sure how to sitelock your game from being embedded onto someone elses site buy hosted on yours entirely within the flash.

  • Olivier

    Thats pretty much the problem here, it makes it so people cant copy the actual swf, but they can still embed it, so its pretty useless :(
    nice tut tho, im sure lots of people found this helpfull in one way or another

  • nice tutorial thanks i will try it

  • roboman

    It’s strange…the sitelock makes the preloader don’t work.

  • Pingback: Инструкция по монетизации флэш игр | terbooter()

  • Pingback: How to make Flash Games » Sitelocking()

  • Pingback: MochiLand » Blog Archive » Flash Game Monetization Case Study: Emanuele Feronato()

  • yaboy

    Would something like this work better than _url…?

    var domain = this.root.loaderInfo.url.split(“/”)[2];

  • Luke “function get_url() { return window.location.toString(); }” )

    what about this ?

  • Luke

    ACTUALLY try this
    browserurl =“function(){return window.location.href}”).toString();

  • Hey there, if anyone needs an Actionscript 3 version of this tutorial, I’ve written one on my blog –

  • Pingback: Excit: Post-Mortem | Game Reviews, Game Download, Computer Games()

  • Jan

    ———-Emanuele Feronato———
    You are Great!!!!!!!!!!!!!!!!!!!!!!
    many thanks to you and others like you.


  • dino

    How can you be sure www or even http is always included?

    I never type www when going to a website.

  • dino

    Wouldn’t it be better to drop the split and just check if the beginning is equal to “”?

  • Internet Hobo

    Somebody could get around this by adding a query string with ?_url= or something though when they embed the file. Is there some way to determine where the swf is actually embeded?

  • NewGrounds uses, not .

  • Hi there,
    it’s really important to understand (what was already said) that the code in the post won’t prevent embedding the swf from an allowed host to ANY webpage. The “window.location” is the right idea there, BUT you have to use:

    because refers to the “most top” window, e.g. if your allowed domain is “” and the evil domain “” just puts an iFrame on their site that contains the page from “” with the game, window.location will say “”, but will reveal “”.

    – Dennis

  • ken

    Step 1. Put a secret function within the flash that grabs their domain information and have it send to your database and a page that displays all thief sites.

    Step 2. Put copyright / owner information pertaining to your game or movie where it cannot be overlooked by viewers.

    Step 3. Put your flash on the web.

    Step 4. Use the web info to report their site for theft of copyrighted materials to their domain host.

    This may not work immediately if the host “doesn’t care”, but I’m sure with proper legalese and talk of “getting lawyers involved” they’ll pull the site and/or warn the client.

    I contacted my own host (godaddy) on this issue and they conferred that they would pull the thief site until they remove the copyrighted materials.

  • Ab

    @29 (Ken)
    You have a nice sample code for Step 1 ?

  • Tom

    Emanuelle, or someone else talk me through the best way to sitelock my game?
    I’d be glad to put a link to you for a month from It gets
    around 5000 visits per day. I can send you traffic in thanks.
    Best Tom

  • Coca Cola is bad for your health, it actually is one of major contributors to adrenal exhaustion. Sugar in general is. So you might want to remove that evil donation Coca Cola advertisement and people actually might donate more to you.

  • Returns true if the current swf is hosted on an host1, host2, host3 domain, false otherwise

    function testSiteLock():Boolean {
    var siteLock:RegExp = /^http:\/\/([-a-zA-Z0-9\.])+\.(host1|host2|host3|emanueleferonato|massagames)\.com(\/|$)/;
    return siteLock.test( loaderInfo.url );

  • i will give it try