The browser extension technologies that are widely deployed all implement segregation between domains in a way that is derived from the same basic principles as the main browser same-origin policy. However, some unique features exist in each case that can enable cross-domain attacks in some situations.
Flash objects have their origin determined by the domain of the URL from which the object is loaded, not the URL of the HTML page that loads the object. As with the same-origin policy in the browser, segregation is based on protocol, hostname, and port number by default.
In addition to full two-way interaction with the same origin, Flash objects can initiate cross-domain requests via the browser, using the URLRequest API. This gives more control over requests than is possible with pure browser techniques, including the ability to specify an arbitrary Content-Type header and to send arbitrary content in the body of POST requests. ...