Flash Loading a Remote SWF Without User Interaction

After playing around for a while with Flash’s allowScriptAccess and allowFullScreen parameters, I came across a way to have a Flash object load and interact with a remote SWF file on a different domain without requiring any click from the user. The research also touched on Firefox’s referrer and user-agent headers being forgeable from Flash context, and cases where no referrer was sent at all.

<!-- index.html -->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>banner</title>
<script language="javascript">AC_FL_RunContent = 0;</script>
<script src="AC_RunActiveContent.js" language="javascript"></script>
</head>
<body bgcolor="#ffffff">
<!--url's used in the movie-->
<!--text used in the movie-->
<!-- saved from url=(0013)about:internet -->
<script language="javascript">
	if (AC_FL_RunContent == 0) {
		alert("This page requires AC_RunActiveContent.js.");
	} else {
		AC_FL_RunContent(
			'codebase', 'http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0',
			'width', '300',
			'height', '250',
			'src', 'banner',
			'quality', 'high',
			'pluginspage', 'http://www.macromedia.com/go/getflashplayer',
			'align', 'middle',
			'play', 'true',
			'loop', 'true',
			'scale', 'showall',
			'wmode', 'window',
			'devicefont', 'false',
			'id', 'banner',
			'bgcolor', '#ffffff',
			'name', 'banner',
			'menu', 'true',
			'allowFullScreen', 'false',
			'allowScriptAccess','sameDomain',
			'movie', 'banner',
			'salign', ''
			); //end AC code
	}
</script>
<noscript>
	<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0" width="300" height="250" id="banner" align="middle">
	<param name="allowScriptAccess" value="sameDomain" />
	<param name="allowFullScreen" value="false" />
	<param name="movie" value="banner.swf" /><param name="quality" value="high" /><param name="bgcolor" value="#ffffff" />	<embed src="banner.swf" quality="high" bgcolor="#ffffff" width="300" height="250" name="banner" align="middle" allowScriptAccess="sameDomain" allowFullScreen="false" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer" />
	</object>
</noscript>
</body>
</html>

The accompanying AC_RunActiveContent.js is the standard Adobe Flash detection/embedding helper that was common at the time. The interesting finding was that with allowScriptAccess set to sameDomain, Flash could still be coaxed into making requests that appeared to originate from the embedding domain, and — in some configurations — the referrer header was either missing or could be influenced. A separate variation in the FireFox Forging subfolder showed that Firefox’s referrer and user-agent could be spoofed from within certain Flash contexts, while the NO REFERRER variation demonstrated conditions where no referrer was sent at all, which has its own implications for analytics and anti-CSRF measures.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.