The Mozilla Foundation, makers of the Firefox browser, said in a blog post that in August 2016 it will start filtering large categories of Flash usage that aren’t beneficial for users in order to reduce crashes and improve battery life on laptops. As the year goes on, Firefox will clamp down on more kinds of Flash content, and next year it will require that users approve playing any Flash content with a click. These moves are part of a trend by all browser makers to deprecate Flash, which is buggy and remains full of security holes.
Like other browser makers, Mozilla claims that loading less Flash content improves security, increases battery life, reduces the time to load and render pages, and generally makes Web pages more responsive. Along with its other failings, Flash has long been a CPU hog.
Mozilla bills this as blocking “certain Flash content that is not essential to the user experience,” by which they mean several types of tracking mechanisms used by advertisers and ad networks. Because the use of Flash for video has been so heavily reduced, with YouTube, Facebook, and others switching to HTML5-based video delivery for modern browsers, advertisers’ use of Flash for tracking and showing videos embedded in ads may be the only Flash that most users encounter on a regular basis.
Mozilla notes in a linked code repository that it blocks two kinds of Flash uses for objects that are 5-by-5 pixels or smaller: fingerprinting and supercookies. It estimates these two changes will reduce Flash-related crashes by 10 percent, an enormous amount across all Firefox users.
Fingerprinting uses a Flash command to retrieve a list of all installed fonts, which is one method that advertisers use to identify a browser even when someone has taken steps to not be tracked.
Supercookies are far worse: they store identifying details in a Flash object that isn’t removed when browser cookies and other tracking information are deleted; these Flash objects may even persist across private-browsing sessions. Supercookies often check to see whether a browser cookie has been removed and, if so, they “respawn” the browser cookie from an internal cache.
Later this year, Firefox will stop allowing Flash to determine whether a given piece of content on a Web page is visible, another element of ad tracking. (If someone can’t see an ad, has it truly been served?) An HTML-based alternative will be made available in Firefox when it disables the Flash version.
Finally, in 2017, Mozilla will switch from Flash playing by default to requiring a click for approval.
Mozilla’s steps parallel those taken by other desktop Web browser makers. Apple’s WebKit team said in June 2016 that macOS 10.12 Sierra won’t reveal to a Web server what multimedia plug-ins it has in order to force sites to deliver HTML5 by default. If a site can’t send HTML5, Safari will show the visitor a click-to-play option for Flash. (This is separate from the excellent ClickToFlash and ClickToPlugin extensions available for Safari.)
Google made a similar announcement about Chrome in May 2016. The Chrome browser will report that Flash is available only to servers in the top 10 most-visited domains worldwide that serve any Flash content, currently including YouTube, Facebook, Yahoo, Microsoft’s Live.com, Amazon, and Twitch. Users can also whitelist Flash.
Microsoft isn’t as committed to reducing and ultimately eliminating Flash as the other three major browser makers, and its plans have no impact on iOS and Mac users. However, it intends to isolate Flash in future updates to Internet Explorer by “pausing unnecessary content,” which may refer to Flash used for tracking, auto-play video, and other ad-related purposes.
Unfortunately, some misguided and outdated Web sites continue to rely on Flash, and this set might include online services you have to use for work, banking, or managing health-care issues. Hopefully their reliance on Flash will be short-lived, since every step browser makers take to reduce Flash’s use further prods laggard sites to get with the times and give up on Flash.