HTML5 : Unsafe Flash application configuration

Granting excessive permissions allows a malicious Flash application to transfer confidential information to an arbitrary remote site.

When a Flash application is embedded in HTML, there are several flags that inform the Flash player if the SWF file must have access to content from the browser or from the network.

The AllowScriptAccess flag instructs the Flash player to allow SWF to interact with the browser and HTML DOM with ExternalInterface, fscommand or getURL.

The allowNetworking flag for the <object> and <embed> tags controls the use of the network connection’s SWF file.

Possible values of allowNetworking are:

• all (the default)-All networking APIs are permitted in the SWF file.
• internal - The SWF file may not call the navigateToURL(), fscommand(), ExternalInterface.call() browser navigation and browser interaction APIs, but it may call any other networking APIs.
• none - The SWF file may not call the following browser navigation and browser interaction APIs: sendToURL(), FileReference.download(), FileReference.upload(), Loader.load(), LocalConnection.connect(), LocalConnection.send(), NetConnection.connect(), NetStream.play(), Security.loadPolicyFile(), SharedObject.getLocal(), SharedObject.getRemote(), Socket.connect(), Sound.load(), URLLoader.load(), URLStream.load(), XMLSocket.connect(), and it cannot use any SWF-to-SWF communication APIs.

When allowNetworking is set to none, you cannot reference external media in an <img> tag in the htmlText property of a TextField (a SecurityError exception is thrown).