Firefox 55: Flash runs only on HTTP or HTTPS

Mozilla plans to implement a change in Firefox 55 that restricts plugins -- read Adobe Flash -- to run on HTTP or HTTPS only.

Adobe Flash is the only NPAPI plugin that is still supported by release versions of the Firefox web browser. Previously supported plugins such as Silverlight or Java are no longer supported, and won't be picked up by the web browser anymore.

Flash is the only plugin left standing in Firefox. It is also still available for Google Chrome, Chromium-based browsers, and Microsoft Edge, but the technology used to implement Flash is different in those web browsers.

Adobe Flash causes stability and security issues regularly in browsers that support it. If you check the latest Firefox crash reports for instance, you will notice that many top crashes are plugin-related.

Security is another hot topic, as Flash is targeted quite often thanks to new security issues coming to light on a regular basis.

Mozilla's plan to run Flash only on HTTP or HTTPS sites blocks execution of Flash on any non-HTTP non-HTTPS protocol. This includes among others FTP and FILE. Flash content will be blocked completely in these instances. This means that users won't get a "click to play" option or something similar, but just resources blocked from being loaded and executed by the Firefox web browser.

flash block firefox

Mozilla provides an explanation for the decision on the Firefox Site Compatibility website:

Firefox 55 and later will prevent Flash content from being loaded from file, ftp or any other URL schemes except http and https. This change aims to improve security, because a different same-origin policy is applied to the file protocol, and loading Flash content from other minor protocols is usually not well-tested.

Mozilla is also looking into extending the block to data: URIs.

The change should not affect too many Firefox users and developers, but it will surely impact some. Mozilla implemented a new preference in Firefox that allows users to bypass the new restriction:

  1. Type about:config in the browser's address bar and hit the Enter-key.
  2. Confirm that you will be careful if the warning prompt appears.
  3. Search for the preference plugins.http_https_only.
  4. Double-click on it.

A value of True enables the blocking of Flash content on non-HTTP/HTTPS pages, while a value of False restores the previous handling of Flash so that it runs on any protocol. Mozilla suggests however that developers set up a local web server instead for Flash testing if that is the main use case. (via Sören)

Now You: Do you still require Flash? What for?

Summary
Article Name
Firefox 55: Flash runs only on HTTP or HTTPS
Description
Mozilla plans to implement a change in Firefox 55 that restricts plugins -- read Adobe Flash -- to run on HTTP or HTTPS only.
Author
Publisher
Ghacks Technology News
Logo
Please share this article

Facebooktwittergoogle_plusredditlinkedinmail



Responses to Firefox 55: Flash runs only on HTTP or HTTPS

  1. b May 17, 2017 at 10:28 am #

    I seriously consider to ban it completely. quite an impact: no more national tv or radio, which is my only reason for dealing with this plugin. great feature security wise. But what about deletion of flash cookies in terms of the future lack of add-ons? BetterPrivacy do not list as web extention. don't know about click & click but its a no go anyway: checked the homepage: heavily tracking. So anyone: is it possible to remove this plugin completely as it comes with automatically in FF and palemoon? palemoon still supports an older version of BetterPrivacy, but still no good in terms of security. Do you, @Martin Brinkmann ( or anybody else ) know of a planned web extension to replace BetterPrivacy?

    • b May 17, 2017 at 10:49 am #

      correction: I meant Click&Clean

    • Sorgo May 17, 2017 at 1:23 pm #

      If Flash is disabled Flash cookies can't be accessed by content. Flash cookies are just Flash setting and reading its own cookies and obeying your browser's preferences related to them. If Flash is disabled or click to play there's no business with flash cookies going on until you enable it or allow it to run through a click.

      You don't need to uninstall Flash, especially if you need it for some sites. You can set it to click to play, that's more than enough. You can also disable it through about:addons.

    • Pants May 17, 2017 at 4:29 pm #

      Flash does not "come with" Firefox or Palemoon. It comes from Adobe and is installed as a separate product. All FF/PM do is detect and allow use of it. The only plugin still detected by FF is Flash, and you can disable FF scanning for it by setting `plugin.scan.plid.all` to false in about:config.

      I recommend you uninstall Adobe Flash from your system. If you need Flash for a particular site (eg a game, or a particular video site, then I suggest you use Chrome for those sites, as Chrome comes with it's own bundled version of Flash. In this day and age, there's no reason why you can't run 4 or 5 different browsers if need be.

      • b May 17, 2017 at 6:39 pm #

        @Sorgo and @Pants
        thank you for taking time to help me out.
        @pants
        great to know, how it really works. I rushed to about:config but the mentioned setting: plugin.scan.plid.all , was nowhere to be found? I run FF 53.0.2 in ubuntu.

      • Pants May 17, 2017 at 7:44 pm #

        It is only a "Windows Only" preference, sorry. It's purpose is to scan the Windows Registry for PLIDs (which is where windows kept its info on Flash, RealPlayer, Java, Antivirus etc - this is now restricted to just flash - I think PLID stands for Physical Location Identifier, so that was how FF could enumerate & locate them all, but not my area of knowledge). I haven't had Flash for well over a year, but if you can't stop FF on ubuntu detecting Flash, you should (from the about:addons Plugins page) be able to set Flash as "never activate".

  2. Hervé May 17, 2017 at 11:50 am #

    "to run on HTTP pr HTTPS"
    You meant "or"

  3. Seban May 17, 2017 at 1:01 pm #

    There are still many pages that require Flash, especially German TV station's media centers use it quite a lot (unless they switched since I last tried abandoning Flash). Thanks to NoScript, Flash is blocked on most sites anyway, so the risk of using it is not that big, I guess.

    • Sorgo May 17, 2017 at 1:28 pm #

      Yeah it's pretty safe with click to play, whether it is Firefox's or NoScript's. I only disabled Flash because privacy.resistFingerprinting disables Flash.

    • T J May 17, 2017 at 1:47 pm #

      I use Flash because many news channels require it. Firefox and Cyberfox are the only browsers which I use.
      I have never had either of them crash while I am browsing, I find the complaints about Flash crashing the browsers very strange !

      • Jed May 17, 2017 at 6:12 pm #

        It used to crash all the time when I used it years ago, though it has improved a certain amount since then.

  4. Sorgo May 17, 2017 at 1:20 pm #

    I love Flash, but since a neat feature currently hidden under privacy.resistFingerprinting disables it, I don't use it anymore. I keep it up to date and very rarely I'm asked to activate it.

    I don't play web games these days though, and they are the main remaining bastion of Flash. (Not for long now that WebAssembly and WebGL 2 are out)

    I think Flash can slowly fade away proudly now, though then again I don't have a clear idea of the % of web games that would be affected. Probably still too many.

  5. kalmly May 17, 2017 at 2:27 pm #

    Need it for news, games. Thanks for info on how to fix it.

    • Sören Hentzschel May 17, 2017 at 4:51 pm #

      Do you access news or games via the file:// or ftp:// protocol? I don't think so. I am pretty sure you visit your news and games websites via http:// or https://. If so then there is nothing what you have to fix. ;)

      • T J May 17, 2017 at 5:10 pm #

        It is not the websites which need Flash to load but the video content within the websites !! Big Difference !!

      • David May 17, 2017 at 9:15 pm #

        I actually do have a few flash games that I've downloaded, and thus loading them up in the browser would mean accessing via file://.

      • Sorgo May 18, 2017 at 2:25 pm #

        @David

        If it's downloaded you can run the SWF file as a standalone with the (Adobe official) Flash Player projector that you can find here : https://www.adobe.com/support/flashplayer/debug_downloads.html

  6. mikef90000 May 18, 2017 at 12:26 am #

    Flash based players are still used on hundreds (thousands?) of US based media sites and won't go away unless there is some incentive to these content providers.

    I have concerns about its security (or lack thereof) but it has been pretty stable on Linux these days. I only encounter stability issues on systems with low memory or anemic CPUs; the same applies even more to today's web pages that are often infested with poorly generated, Javascript driven advert banners *COUGH*GHACKS*COUGH*.

  7. PM-MAN May 18, 2017 at 12:27 am #

    Until HTML5 games are on a par with flash games then i will stick with flash for now.It could take years for flash to ween itself out of the web.

  8. b May 18, 2017 at 11:29 am #

    @pants
    I set it to never activate a long time ago, so when it's time for national tv/radio i activate it and deactivate immediately afterwards when I'm done. I delete flashcookies at once as well. I do know a few linux/ubuntu geeks. maybe they can help me out. thanks anyway

    • Sorgo May 18, 2017 at 2:31 pm #

      You don't need to bother with the setting he talked about. When Flash is disabled, no vulnerability can be triggered by web content. Vulnerabilities are bugs in software that can be exploited by making it read a specially designed file. Flash doesn't read anything if it's never used.

      Flash is not a security risk if it is only activated for reading first party content that you explicitly want to read, whether through click to play or activation/deactivation. Third-party and unconditional activation are the sensitive points.

  9. Pierre May 18, 2017 at 1:30 pm #

    Hello
    I uninstalled Flash Player NPAPI and I disabled Flash on Edge
    In Chrome I disabled it by default
    When I really need it (some sites still require it to do multiple uploads), I use Chrome where I authorize Flash for these sites

Leave a Reply