Tracking SWF Flash files in the wild [SOLVED]


Hi there,

I was wondering if it’s possible to use Piwik to track events in flash games (AS3) that are anywhere in the internet.
Until May 2014 I used the Mochimedia services but unfortunately they shut down. Now I need a system to track some (custom) player data (number of game starts, length of game sessions, “did the player press this button?”, on what websites the game is played and maybe some geolocation info).

The Tracking HTTP API looks promising… Tracking HTTP API: API Reference - Matomo Analytics (formerly Piwik Analytics) - Developer Docs - v3
but does it really do what I think it does? Will it be able to send player data to my Piwik installation no matter on what website the game is played? Can I just send a Actionscript-URLRequest to my server? Or are there some restrictions I do not anticipate…?

Any thoughts and suggestions are very appreciated :wink:

So I managed to send HTTP requests to my Piwik install via Flash AS3.
Here’s the snippet:

var loader : URLLoader = new URLLoader();
var request:URLRequest=new URLRequest("");
var variables : URLVariables = new URLVariables();
variables.url= currentURL();
variables.action_name = "FLASH ACTION";;
loader.addEventListener(Event.COMPLETE, on_complete);
function on_complete(e : Event):void {
	 // whatever 
function currentURL():String {
	var theurl:String=ExternalInterface.available?'eval','window.location.href'):null;
        urlLabel.text = theurl; // urlLabel is a dynamic text field on stage
	return theurl;

But now I’m stuck, because it turns out that Piwik doesn’t track actions if the swf file is opened from different URLs than those set up in “Website Management” - what a bummer :frowning:

Is there some Piwik functionality I missed? Or do I have to move on and find a different solution?
Thanks in advance!

And again, I found the error by analyzing the traffic with firefox’ dev tools.
It turns out that I need a crossdomain.xml on my piwik server to be able to communicate to the php file from another server. It’s a Adobe Flash security thing…

So here’s a sample for the crossdomain.xml that you upload to the root of your domain:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "">
<allow-access-from domain="*" />

The part is kinda risky, because it allows all SWFs to communicate with php files on my server. On the other hand this allows me to put the SWF file anywhere on the net while it keeps posting tracking data to my piwik.php.

This article helped a lot, btw:

I will now try to find a complete list of all major flash game websites and generate a crossdomain policy for these.
If you have a better idea, please let me know!

It seems to be possible to have a crossdomain.xml in a subdirectory so not all your files and folders are allowed to be called by an off-site SWF. You will need to create a master policy file that allows a custom crossdomain.xml in a subdirectory.
See pages 7 and 11 in the specification pdf that you can download here:

Here’s some more details on that crossdomain.xml master policy:
You really don’t want to open your whole domain for swf communication unless you love security holes.

So what you do is to create a crossdomain.xml (it has to be named that way!) and allow other policies:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "">
   <site-control permitted-cross-domain-policies="all" />

Now create another xml. You can name this one as you want, for example piwikpolicy.xml, then copy it to your Piwik folder. This policy is actually the same I posted above. The documentation tells us: Non-master policy files can only grant access to data within their own directory or subdirectories.

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "">
	<allow-access-from domain="*" />

Now open your Flash project and add this to the top of the snippet I posted above:


That’s it! Happy flash tracking :wink:

(Matthieu Aubry) #2

It turns out that I need a crossdomain.xml on my piwik server to be able to communicate to the php file from another server. It’s a Adobe Flash security thing…

Maybe you don’t need this if you setup CORS headers as explained in this FAQ? How do I configure my Piwik server to allow cross domain requests? (CORS) - Analytics Platform - Matomo

Thanks for posting your findings about tracking SWF flash with Piwik! I’m sure other users will be interested.


Thank you for the hint!
but there has to be a crossdomain.xml in the domain root, or flash/flex will not send POST URL-requests to the server (see specification pdf).
I tried to configure a master policy and piwiks config.ini but it didn’t work - but that’s okay, because it works like a charm using the crossdomain.xml-configuration.

Thank you very (very!) much for this awesome (awesome!) tool!

I added some more details on the crossdomain policies to the original post above :wink:


Is it possible to use it with the async version?

(see here: 301 Moved Permanently)