Flash and Advertising

Some concerns have been raised lately regarding malicious ads using Flash. The good news is there are already mechanisms in the Flash Player to effectively address these concerns.

I am simplifying here, but there are two main goals for web-based advertisements:
* advertisers want to present compelling, engaging advertisements
* advertisers want users to click through to their websites


For the sake of simplicity, lets assume that the SWF-based ad and HTML-based container are hosted in separate domains, and that you have control over the HTML container.At this point a short review of the potential threats posed by an advertisement is in order. An ad might try to:1) Automatically redirect the user to another site2) Redirect the user to another site after clicking on it3) Automatically open a new window to another site4) Open a new window to another site after clicking on it5) Automatically install a malicious programFor each one of the above threats, here are the available mitigations respectively:1) and 2) Set the allowScriptAccess=”never” parameter of the OBJECT/EMBED HTML tag to prevent SWF content from controlling existing browser content, including preventing redirects of existing content3) The Flash Player uses the browser’s existing pop-up blocker logic to prohibit pop-ups triggered from Flash, assuming the browser’s pop-up blocker is enabled4) This is normal behavior for an ad. Much like HTML/JavaScript, if the user clicks on a link to go to certain website, generally this action is permitted (though it can depend on how aggressively your pop-up blocker is configured). Furthermore, the hosting HTML could even prohibit this entirely by setting the allowNetworking=”none” or allowNetworking=”internal” OBJECT/EMBED parameters, though this will prevent users from clicking-through advertisements altogether, and so is generally not the desired effect5) Flash Player does not permit automatic downloads; any downloads require user involvement and consentTo an advertiser or hosting website, this all may seem rather complicated, but in fact it boils down to one straightforward change assuming you want to have ads that:- disable any redirects or automatic opening of new windows- allow a user to click-through the ad to open in a new windowJust set the allowScriptAccess=”never” parameter on your OBJECT/EMBED tags.One caveat: this does not prevent an ad from opening a window to a potentially malicious website if a user clicks on it. There is no technical mitigation to that problem, as its impossible to tell whether the website the user is about to visit is malicious or not. So there will always be a degree of responsibility the publisher of the ad needs to accept for ensuring that they only accept content from trustworthy partners.If you instead want to have ads that prohibit any browser or network interaction, even if the user clicks on them, you can set the allowNetworking=”none” parameter instead.Keep in mind that it is possible to include potentially malicious JavaScript in the OBJECT/EMBED parameters themselves. While not an issue with Flash Player itself, you need to be careful when validating any HTML tags or parameters for undesirable code.Like any change, you should thoroughly test any such modifications to ensure your content will still work. For example, the recommended solution above requires ads to open new windows, rather than redirecting the existing window.References: please see my previous blog entry about controlling SWF content from HTML.