Erling (Alf) EllingsenI was going to post these eventually, but sort of forgot. Now that the Unity browser plugin is long dead (along with browser plugins in general), here are some "interesting implementation choices".
To be able to install new versions without prompting for administrator access, the binaries were world-writable.
They had an API to call javascript, ExternalInterface.call("function", "argument");
It was implemented as eval(`${function} ("${quote(argument)}")`).
The quote function escaped " as \", but left \ as is.
(this is why the alert(1) game exists: https://alf.nu/alert1?world=alert&level=alert1&)
To be fair, Flash also did this.
They copied the 'crossdomain.xml' system from Flash, but forgot about redirects.
If you put an 'allow all' crossdomain.xml file on the same server as the game, and a redirect to mail.gmail.com, your game could fetch your players' inboxes.
You could also just ask for " httрs://mail.google.com/" (note the leading space). This was considered a 'relative url' and always allowed.
(ignore the p, that is to make mastodon stop trying to prettify the url)
The best part came a year later, after the patches were finally out to fix (some of) the issues.
Here's a snippet from the header of a game file.
Can you guess what went wrong?