As flash is a real security mess I started blacklisting flash at our proxy by blocking any content with the mime type application/x-shockwave-flash
which works pretty well as far as I can tell. The proxy does SSL interception so it covers both http
and https
and I don't allow any other protocol to get out so loading flash from a ftp server for example isn't possible too.
But I'm asking myself if this is enough because a malicious webserver could simply fake a mime type and then send flash to the browser anyway? Would this work or is flash bound to some limitations to prevent such behavior?