Google has outlined a plan to push HTML5 by default in Chrome, instead of Flash. In Q4 2016, the company plans to only serve Flash by default for the top 10 domains that still depend on the plugin. Chrome will display the HTML5 experience if it’s available, but if Flash is required, the user will be asked whether Flash can be allowed to run or not.
Flash has been on its way out for years. Not only is the tool a security nightmare, with new vulnerabilities popping up regularly, the market has been slowly but surely moving away from plugins in favor of HTML5. Chrome and Flash, in particular, have had a complicated relationship.
While Flash is included in Google’s browser by default, it has been slowly but surely de-emphasized. In September 2015, Chrome 45 began automatically pausing less-important Flash content (ads, animations, and anything that isn’t “central to the webpage”). Now, Google wants to focus on the central content, such as games and videos.
Here is Google’s “HTML5 by Default” proposal for Chrome:
- Flash Player will come bundled with Chrome, however, its presence will not be advertised by default, namely in Navigator.Plugins() and Navigator.MimeTypes().
- If a site offers an HTML5 experience, this change will make that the default experience.
- When a user encounters a site that needs Flash Player, a prompt will appear at the top of the page, giving the user the option of allowing it for a site.
- If the user accepts, Chrome will advertise the presence of Flash Player, and refresh the page.
- Chrome will honor the user’s setting for that domain on subsequent visits.
- To avoid over-prompting users, we will initially ship with a whitelist of the then top 10 sites (based on aggregate usage). This whitelist will expire after one year.
The whitelist is meant to “reduce the initial user impact, and avoid over-prompting,” according to the company’s “intent to implement” post on Google Groups. If this whitelist were to be implemented today, Chrome’s internal metrics show that the top 10 domains using Flash would be YouTube.com, Facebook.com, Yahoo.com, VK.com, Live.com, Yandex.ru, OK.ru, Twitch.tv, Amazon.com, and Mail.ru. Google promises to update the whitelist periodically throughout the year to remove sites that no longer warrant an exception based on usage.
Here is the prompt that users will see when first visiting a site that requires Flash but isn’t on the whitelist:
If the user allows Flash Player to run, Chrome will store that preference and refresh the page with Flash enabled. For sites that direct users to download Flash, Chrome will intercept the request and instead present the “Allow Flash Player …” infobar, directing users back to the prompt.
Google also plans to add policy controls for enterprises. There will be a setting to “Allow Sites to ask to run Flash” (ask the first time only), “Allow Sites…” (right-click to play), and “Never run Flash content” (disable the plugin entirely). Users will be able to manage their individual site preferences.
Keep in mind that these are just mockups, and the details are still up in the air. That said, Google does state that “the tone and spirit should remain fairly consistent.” One way or another, Chrome will push HTML5 by default, in place of Flash.
Google has played a big part in helping to kill Flash. In January 2015, YouTube ditched Flash for HTML5 video by default, and, in February 2015, the company began automatically converting Flash ads to HTML5. The company plans to stop running Flash display ads on January 2, 2017.
The death of Flash can’t come soon enough, both for performance and security reasons. In a way, Adobe ensured Flash’s imminent demise in November 2011 when the company announced the withdrawal of support for Flash Player on mobile devices. While we’ve come a long way since then, with tech giants doing a lot of work to push it out the door, there are still many years to go before we can put Flash behind us.
You can't solo security COVID-19 game security report: Learn the latest attack trends in gaming. Access here