Firefox 55: Flash runs only on HTTP or HTTPS
Mozilla plans to implement a change in Firefox 55 that restricts plugins -- read Adobe Flash -- to run on HTTP or HTTPS only.
Adobe Flash is the only NPAPI plugin that is still supported by release versions of the Firefox web browser. Previously supported plugins such as Silverlight or Java are no longer supported, and won't be picked up by the web browser anymore.
Flash is the only plugin left standing in Firefox. It is also still available for Google Chrome, Chromium-based browsers, and Microsoft Edge, but the technology used to implement Flash is different in those web browsers.
Adobe Flash causes stability and security issues regularly in browsers that support it. If you check the latest Firefox crash reports for instance, you will notice that many top crashes are plugin-related.
Security is another hot topic, as Flash is targeted quite often thanks to new security issues coming to light on a regular basis.
Mozilla's plan to run Flash only on HTTP or HTTPS sites blocks execution of Flash on any non-HTTP non-HTTPS protocol. This includes among others FTP and FILE. Flash content will be blocked completely in these instances. This means that users won't get a "click to play" option or something similar, but just resources blocked from being loaded and executed by the Firefox web browser.
Mozilla provides an explanation for the decision on the Firefox Site Compatibility website:
Firefox 55 and later will prevent Flash content from being loaded from file, ftp or any other URL schemes except http and https. This change aims to improve security, because a different same-origin policy is applied to the file protocol, and loading Flash content from other minor protocols is usually not well-tested.
Mozilla is also looking into extending the block to data: URIs.
The change should not affect too many Firefox users and developers, but it will surely impact some. Mozilla implemented a new preference in Firefox that allows users to bypass the new restriction:
- Type about:config in the browser's address bar and hit the Enter-key.
- Confirm that you will be careful if the warning prompt appears.
- Search for the preference plugins.http_https_only.
- Double-click on it.
A value of True enables the blocking of Flash content on non-HTTP/HTTPS pages, while a value of False restores the previous handling of Flash so that it runs on any protocol. Mozilla suggests however that developers set up a local web server instead for Flash testing if that is the main use case. (via SÃ¶ren)
Now You: Do you still require Flash? What for?
I seriously consider to ban it completely. quite an impact: no more national tv or radio, which is my only reason for dealing with this plugin. great feature security wise. But what about deletion of flash cookies in terms of the future lack of add-ons? BetterPrivacy do not list as web extention. don’t know about click & click but its a no go anyway: checked the homepage: heavily tracking. So anyone: is it possible to remove this plugin completely as it comes with automatically in FF and palemoon? palemoon still supports an older version of BetterPrivacy, but still no good in terms of security. Do you, @Martin Brinkmann ( or anybody else ) know of a planned web extension to replace BetterPrivacy?
correction: I meant Click&Clean
If Flash is disabled Flash cookies can’t be accessed by content. Flash cookies are just Flash setting and reading its own cookies and obeying your browser’s preferences related to them. If Flash is disabled or click to play there’s no business with flash cookies going on until you enable it or allow it to run through a click.
You don’t need to uninstall Flash, especially if you need it for some sites. You can set it to click to play, that’s more than enough. You can also disable it through about:addons.
Flash does not “come with” Firefox or Palemoon. It comes from Adobe and is installed as a separate product. All FF/PM do is detect and allow use of it. The only plugin still detected by FF is Flash, and you can disable FF scanning for it by setting `plugin.scan.plid.all` to false in about:config.
I recommend you uninstall Adobe Flash from your system. If you need Flash for a particular site (eg a game, or a particular video site, then I suggest you use Chrome for those sites, as Chrome comes with it’s own bundled version of Flash. In this day and age, there’s no reason why you can’t run 4 or 5 different browsers if need be.
@Sorgo and @Pants
thank you for taking time to help me out.
great to know, how it really works. I rushed to about:config but the mentioned setting: plugin.scan.plid.all , was nowhere to be found? I run FF 53.0.2 in ubuntu.
It is only a “Windows Only” preference, sorry. It’s purpose is to scan the Windows Registry for PLIDs (which is where windows kept its info on Flash, RealPlayer, Java, Antivirus etc – this is now restricted to just flash – I think PLID stands for Physical Location Identifier, so that was how FF could enumerate & locate them all, but not my area of knowledge). I haven’t had Flash for well over a year, but if you can’t stop FF on ubuntu detecting Flash, you should (from the about:addons Plugins page) be able to set Flash as “never activate”.
I entirely agree
Some sites still use it for multiple uploadings : easy to convert to HTML5
“to run on HTTP pr HTTPS”
You meant “or”
There are still many pages that require Flash, especially German TV station’s media centers use it quite a lot (unless they switched since I last tried abandoning Flash). Thanks to NoScript, Flash is blocked on most sites anyway, so the risk of using it is not that big, I guess.
Yeah it’s pretty safe with click to play, whether it is Firefox’s or NoScript’s. I only disabled Flash because privacy.resistFingerprinting disables Flash.
I use Flash because many news channels require it. Firefox and Cyberfox are the only browsers which I use.
I have never had either of them crash while I am browsing, I find the complaints about Flash crashing the browsers very strange !
It used to crash all the time when I used it years ago, though it has improved a certain amount since then.
I love Flash, but since a neat feature currently hidden under privacy.resistFingerprinting disables it, I don’t use it anymore. I keep it up to date and very rarely I’m asked to activate it.
I don’t play web games these days though, and they are the main remaining bastion of Flash. (Not for long now that WebAssembly and WebGL 2 are out)
I think Flash can slowly fade away proudly now, though then again I don’t have a clear idea of the % of web games that would be affected. Probably still too many.
Need it for news, games. Thanks for info on how to fix it.
Do you access news or games via the file:// or ftp:// protocol? I don’t think so. I am pretty sure you visit your news and games websites via http:// or https://. If so then there is nothing what you have to fix. ;)
It is not the websites which need Flash to load but the video content within the websites !! Big Difference !!
I actually do have a few flash games that I’ve downloaded, and thus loading them up in the browser would mean accessing via file://.
If it’s downloaded you can run the SWF file as a standalone with the (Adobe official) Flash Player projector that you can find here : https://www.adobe.com/support/flashplayer/debug_downloads.html
Flash based players are still used on hundreds (thousands?) of US based media sites and won’t go away unless there is some incentive to these content providers.
Until HTML5 games are on a par with flash games then i will stick with flash for now.It could take years for flash to ween itself out of the web.
I set it to never activate a long time ago, so when it’s time for national tv/radio i activate it and deactivate immediately afterwards when I’m done. I delete flashcookies at once as well. I do know a few linux/ubuntu geeks. maybe they can help me out. thanks anyway
You don’t need to bother with the setting he talked about. When Flash is disabled, no vulnerability can be triggered by web content. Vulnerabilities are bugs in software that can be exploited by making it read a specially designed file. Flash doesn’t read anything if it’s never used.
Flash is not a security risk if it is only activated for reading first party content that you explicitly want to read, whether through click to play or activation/deactivation. Third-party and unconditional activation are the sensitive points.
I uninstalled Flash Player NPAPI and I disabled Flash on Edge
In Chrome I disabled it by default
When I really need it (some sites still require it to do multiple uploads), I use Chrome where I authorize Flash for these sites
Just updated the new Firefox 55.0.3 yesterday, and all Facebook games have three recurring problems.
1. Fail to load or …
2. Require a new reload half way through playing …
3. About 2-3 seconds lag time on all mouse functions (the reason for 1 and 2 I suspect)