Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

Firefox Filters More Uses of Flash

The Mozilla Foundation, makers of the Firefox browser, said in a blog post that in August 2016 it will start filtering large categories of Flash usage that aren’t beneficial for users in order to reduce crashes and improve battery life on laptops. As the year goes on, Firefox will clamp down on more kinds of Flash content, and next year it will require that users approve playing any Flash content with a click. These moves are part of a trend by all browser makers to deprecate Flash, which is buggy and remains full of security holes.

Like other browser makers, Mozilla claims that loading less Flash content improves security, increases battery life, reduces the time to load and render pages, and generally makes Web pages more responsive. Along with its other failings, Flash has long been a CPU hog.

Mozilla bills this as blocking “certain Flash content that is not essential to the user experience,” by which they mean several types of tracking mechanisms used by advertisers and ad networks. Because the use of Flash for video has been so heavily reduced, with YouTube, Facebook, and others switching to HTML5-based video delivery for modern browsers, advertisers’ use of Flash for tracking and showing videos embedded in ads may be the only Flash that most users encounter on a regular basis.

Mozilla notes in a linked code repository that it blocks two kinds of Flash uses for objects that are 5-by-5 pixels or smaller: fingerprinting and supercookies. It estimates these two changes will reduce Flash-related crashes by 10 percent, an enormous amount across all Firefox users.

Fingerprinting uses a Flash command to retrieve a list of all installed fonts, which is one method that advertisers use to identify a browser even when someone has taken steps to not be tracked.

Supercookies are far worse: they store identifying details in a Flash object that isn’t removed when browser cookies and other tracking information are deleted; these Flash objects may even persist across private-browsing sessions. Supercookies often check to see whether a browser cookie has been removed and, if so, they “respawn” the browser cookie from an internal cache.

There’s no legitimate reason for users to want browsers to tolerate Flash-based fingerprinting or supercookies, although blocking Flash for these purposes only reduces such tracking. Fingerprinting can still be carried out using JavaScript and even CSS, and supercookies can use JavaScript and various HTML5 storage and Web server page tagging techniques.

Later this year, Firefox will stop allowing Flash to determine whether a given piece of content on a Web page is visible, another element of ad tracking. (If someone can’t see an ad, has it truly been served?) An HTML-based alternative will be made available in Firefox when it disables the Flash version.

Finally, in 2017, Mozilla will switch from Flash playing by default to requiring a click for approval.

Mozilla’s steps parallel those taken by other desktop Web browser makers. Apple’s WebKit team said in June 2016 that macOS 10.12 Sierra won’t reveal to a Web server what multimedia plug-ins it has in order to force sites to deliver HTML5 by default. If a site can’t send HTML5, Safari will show the visitor a click-to-play option for Flash. (This is separate from the excellent ClickToFlash and ClickToPlugin extensions available for Safari.)

Google made a similar announcement about Chrome in May 2016. The Chrome browser will report that Flash is available only to servers in the top 10 most-visited domains worldwide that serve any Flash content, currently including YouTube, Facebook, Yahoo, Microsoft’s Live.com, Amazon, and Twitch. Users can also whitelist Flash.

Microsoft isn’t as committed to reducing and ultimately eliminating Flash as the other three major browser makers, and its plans have no impact on iOS and Mac users. However, it intends to isolate Flash in future updates to Internet Explorer by “pausing unnecessary content,” which may refer to Flash used for tracking, auto-play video, and other ad-related purposes.

Unfortunately, some misguided and outdated Web sites continue to rely on Flash, and this set might include online services you have to use for work, banking, or managing health-care issues. Hopefully their reliance on Flash will be short-lived, since every step browser makers take to reduce Flash’s use further prods laggard sites to get with the times and give up on Flash.

Check out the Take Control ebooks that expand on the topic in this article:

This independent book from Glenn Fleishman teaches you how to use an iPhone or iPad with iOS 9 on Wi-Fi and cellular/mobile networks securely, controlling your privacy, and protecting your data. It also covers tracking an iOS device, content-blocking Safari extensions, using AirDrop and AirPlay, and solving connection problems.
Do you have anything to hide? Whether or not you think you do, your online activities are being tracked and analyzed—and not always to your benefit. Joe Kissell explains who wants your data (and why!) and helps you create a personal privacy strategy. You'll learn how to manage privacy of your Internet connection, Web browsing, email, chatting, social media, mobile phone, and more.

 

READERS LIKE YOU! Support TidBITS by becoming a member today!
Check out the perks at <http://tidbits.com/member_benefits.html>
Special thanks to Jolyon King, William Kint, Emery Rick, and Bill
Hewett for their generous support!
 

Comments about Firefox Filters More Uses of Flash
(Comments are closed.)

Mike van Lammeren  2016-07-25 19:35
If you're having trouble with Flash, follow my recipe, which I have been using for several years now. Simply uninstall Flash, then browse with Safari and Firefox to your heart's content. In the rare circumstance that you do want to see some Flash content, then browse to that page with Google Chrome, which has its own implementation of Flash, and never needs manual updating, etc.
pdunn5  2016-07-26 06:16
I'm almost done with flash entirely, even paychex.com which I use to manage two payrolls with has almost switched everything to HTML 5 from flash but they are not there yet.