Google has shared more details of its plan to replace Flash with HTML5 by default in Chrome. In September 2016, Chrome will block Flash content that loads behind the scenes, which the company estimates accounts for more than 90 percent of the Flash on the web. In December, Chrome will make HTML5 the default experience for central content, such as games and videos, except on sites that only support Flash.
Flash has been on its way out for years. Not only is the tool a security nightmare, with new vulnerabilities popping up regularly, the market has been slowly but surely moving away from plugins in favor of HTML5. Chrome and Flash, in particular, have had a complicated relationship.
While Flash is included in Google’s browser by default, it has been slowly but surely de-emphasized. In September 2015, Chrome 45 began automatically pausing less-important Flash content (ads, animations, and anything that isn’t “central to the webpage”).
As Mozilla and Microsoft play catch-up with their respective Flash plans for Firefox and Edge, Google continues to plow ahead. Here are the details (design doc) for next month’s plan, when Chrome 53 will be released:
In September 2015, we made “Detect and run important plugin content” the default plugin setting in Chrome, automatically pausing any cross-origin plugin content smaller than 400px in width or 300px in height. This behavior has an exception for any plugin content that is 5×5 or smaller or is an undefined size, because there was no canonical way of detecting viewability until Intersection Observer was standardized and implemented.
We would now like to remove this exception and instead not load tiny, cross-origin content. If the user has their plugin setting set to the default of “Detect and run important plugin content”, the browser will not instantiate cross-origin plugin content that is roughly 5×5 or smaller or has an undefined size. An icon will be displayed in the URL bar indicating that plugin content is not running, allowing the user to reload the page with plugin content running or open settings to add a site-wide exception. Other choices of the plugin content setting are unaffected by this launch.
The end goal for all these browser makers is to push as many sites as possible to HTML5, which is better for both performance (lowering memory and CPU usage while boosting battery life) and in terms of web standards (which makes life easier for developers). Given Flash’s various vulnerabilities, there are obvious security gains as well.
And indeed, Google has already said it plans to have Chrome serve HTML5 by default in Q4 2016. Now the timeframe has been narrowed to December.
At that point, all that will be left will be sites that only serve Flash. For those, you’ll be prompted to enable Flash when you first visit the site, which will hopefully push developers who haven’t ditched it yet to consider doing so.
You can't solo security COVID-19 game security report: Learn the latest attack trends in gaming. Access here