Adobe Flash, long the Swiss cheese of the security world, took another meaningful step this week towards well-earned extinction. Google has quietly passed the word that HTML5, rather than Flash, will soon become the default experience in Chrome wherever the choice is available.
Flash Player will still be bundled with Chrome for the time being, but by the end of the year it’ll be hidden away like some embarrassing distant relative, listed neither in the plugins list or as a supported media (MIME) type.
Per Google’s presentation:
When a user encounters a site that needs Flash Player, a prompt will appear at the top of the page, giving the user the option of allowing it for a site. If the user accepts, Chrome will advertise the presence of Flash Player… refresh the page… [and] honor the user’s setting for that domain on subsequent visits.
If a site doesn’t notice Chrome’s hidden Flash Player, and directs a user to adobe.com’s download page, Chrome will cancel that navigation and offer the user the option of activating the copy of Flash Player it keeps squirreled away for such occasions.
To keep user prompts down to a dull roar, Google says it’ll temporarily exempt the ten sites generating the highest Flash usage. According to VentureBeat, that list starts with Google’s very own YouTube.com. The other nine top hotbeds of legacy Flash use: Facebook, Yahoo, VK.com, Live.com, Yandex.ru, OK.ru, Twitch.tv, Amazon, and Mail.ru.
Google’s “allowlist” could change by the time its new policies kick in at year end. The writing’s already on the wall for Flash at some of those sites: last December, Facebook switched to HTML5 for most video content, and, in September, Amazon dumped Flash ads. Needless to say (though we’ll say it anyway), Flash-less mobile platforms like iOS and Google’s Android have contributed hugely to this transition.
As VentureBeat reminds us, Google’s been gently easing Flash towards the exits for years. Even though YouTube still serves plenty of Flash content, Google moved to a HTML5 default in January 2015. The following month, it began automatically converting most Flash campaigns to HTML5, and next January it’ll stop running Flash display ads altogether.
If you’re just awakening from a deep sleep, you might be wondering: Why all the Flash hate? Well, it’s really quite remarkable that Flash is still generating this many security flaws after all these years, but it does, practically like clockwork.
Just last week, we reported Adobe’s release of a Flash update to patch yet another zero-day hole – along with no less than 25 bugs. Then, there was the zero-day flaw Adobe patched in April… and the really significant ones from March… and last July’s… and this one… and this zero-day from last February, quickly exploited by poisoned ads.
Need you keep putting yourself at risk by using Flash? As more and more sites and apps adopt HTML5, many users can shout NO to that question, too. So, as a public service, we share this compilation of uninstall instructions, courtesy of the folks at Occupy Flash.