
Reducing Adobe Flash Usage in Firefox - _jomo
https://blog.mozilla.org/futurereleases/2016/07/20/reducing-adobe-flash-usage-in-firefox/
======
jhatax
I was hoping that Shumway, Mozilla's effort to render swf files using JS (like
what PDF.js is to Adobe Reader), would be released at some point. It looks
like the project has been added to the Firefox Graveyard [1]. I don't have
Adobe Reader installed on my Mac any more, and don't really miss it.

While Chrome's proposal to white-list the top-10 domains is a good start at
curbing the loading of Flash on my laptop, I prefer the approach being
considered by Safari to report that Flash (and other legacy plugins) is not
available on the platform even if it is installed. [2]

Safari's approach will ensure that most users see HTML5 content and won't
really miss Flash. Folks who use sites like Twitch that insist on Flash will
know how to force Safari to load the content they want to view.

Unfortunately, Safari's user share outside of Mobile is very low. We need
Chrome, Firefox and IE to adopt a similar approach (or agree on an approach
for all vendors) if we are to really rid ourselves of Flash.

1\.
[https://bugzilla.mozilla.org/describecomponents.cgi?product=...](https://bugzilla.mozilla.org/describecomponents.cgi?product=Firefox%20Graveyard)

2\. [https://webkit.org/blog/6589/next-steps-for-legacy-plug-
ins/](https://webkit.org/blog/6589/next-steps-for-legacy-plug-ins/)

Edit: Moved links to the end of the post.

~~~
Ygg2
Any idea why Shumway was graveyarded?

~~~
Sylos
Pretty much just too much work and ever-decreasing interest with the
foreseeable death of Flash. This would have probably needed a dedicated team
untangling and implementing the Flash-specification over many months to get it
done before most webpages had already killed off their Flash-content...

------
niftich
I'm very torn on this subject. I'm always wary when browser vendors force the
hand of users, programmers, and everyone else.

I fully understand that Flash has had an outsized share of vulnerabilities
'affecting browsing' over the years; I fully understand that Adobe has
deprecated Flash for new content production; I fully appreciate that the 'web
platform' has acquired new APIs and capabilities over the last four years,
making it a more potent platform than the days when people opted for Flash or
Silverlight because an external runtime was the only way to reliably deliver
the experiences those developers wanted.

But in a world where a HTML webpage from 1991 [1] still loads and renders
fine, I'm worried about the sheer amount of content that exists in Flash from
the 2000s that will be made inaccessible. Sure, those developers should have
known that developing on a proprietary platform is a risky bet, but this was
back when Javascript was awful, browsers were racing to implement not-yet-
final enhancements to CSS3 with vendor prefixes, and powerful vendors were
bickering about which formats to support in a proposed <video> tag. These
developers of course should've known better, but they had no other choice.

 _What Mozilla is doing here is actually quite reasonable_ , but they're under
pressure from Google Chrome who can unilaterally decide to ban flash from all
but the top 10 sites, and get away with it due to their control of multiple
platforms and their unwillingless to compromise.

If Mozilla's tactics stray too far from Google's, they risk being seen as
followers, rather than policy drivers; furthemore they answer to a divided
fanbase that on one hand wants an open, independent web (in which Flash has no
place), and on the other hand, wants a refuge from the incumbent browser
maker's unilateral policies (currently Google, previously Microsoft).

[1]
[http://info.cern.ch/hypertext/WWW/TheProject.html](http://info.cern.ch/hypertext/WWW/TheProject.html)

~~~
Chris_Newton
Similar arguments were made for locking out Java applets, and other plugins.
The trouble is, every time the big browser developers throw their weight
around like this, a lot more content becomes inaccessible, and content is what
the Web is all about. Much of the valuable material that isn’t in the top x%
of sites wasn’t written recently and isn’t necessarily actively maintained,
and this trend for writing off entire sections of the Web because they’re
inconvenient is a very dangerous one, IMHO.

I’d have marginally more sympathy if the modern alternatives we’re supposed to
use instead now actually worked as well as the technologies they allegedly
replace, but often they do not, and the biggest advocates for the newer
technologies are often among the worst offenders.

I’d also have marginally more sympathy if there was evidence that closing out
the plugins would significantly improve security, but given that many of these
changes just move the attack surface to the browser itself and that the
popular plugins have mostly been subject to some sort of click-to-play
safeguard for a while, I’m not sure the security argument holds much water
either.

But in any case, actively cutting users off from large amounts of existing
content with no workaround seems like a huge backward step to me.

~~~
bobajeff
The plugin system itself is very dangerous to the web. It prevents browser
vendors from ensuring that the same content is available on all platforms.
That's why it's being removed.

Already, many widely used devices can't access Flash content. Browser vendors
are doing the responsible thing here by preventing any future situation like
what has happened with Flash on mobile.

~~~
Chris_Newton
But some of the replacements also prevent browser developers from ensuring the
same content is available on all platforms. For example, HTML5 media elements
don’t prescribe specific codecs to be supported, and in practice several of
the major ones are patent-encumbered and encoders and decoders are not freely
available on all platforms without running into potential legal issues. So
now, instead of relying on Flash being available and providing audio-visual
content in a single format that Flash was known to support, we have to encode
that audio-visual content in a variety of different formats to have any hope
of it playing with as much portability, and there are still no guarantees that
it will remain so in the future. I don’t see how this really improves
anything: a useful _de facto_ standard has been replaced by a _de jure_
standard that is less useful and requires more work to comply. If
unrestricted, good quality encodings for audio and video had been standardised
along with the HTML5 media elements, it might have been a different story, but
that is not what we actually have today.

One could make similar arguments about replacing complex and/or interactive
graphical content once drawn using plugins with HTML5 canvas, SVG or WebGL
elements. The quality of implementation, reliability and performance of these
newer technologies are not quite universally awful across all browsers, but
the situation is disturbingly close to that once you start using them for more
demanding applications like complex animations or drawing interactive diagrams
with thousands of elements.

~~~
bobajeff
(Not sure what you're talking about with codecs. H.264, AAC and MP3 are
supported in all major browsers.)

Well you can't rely on Flash being available anyways. It's not available at
all on mobile.

Nothing anyone has ever made (or will ever make) in Flash will work on mobile
today.

~~~
Chris_Newton
_(Not sure what you 're talking about with codecs. H.264, AAC and MP3 are
supported in all major browsers.)_

For example, H.264 is patent-encumbered. It’s now supported to some degree for
HTML5 video elements by all the major browsers on most platforms, but it has
been a long road to get that far.

Mozilla struggled for a long time with getting support into Firefox across
platforms. To this day, Firefox still relies on third party software and/or
hardware decoding to provide the required functionality, and this was a real
world limitation on at least one major platform as recently as two years ago.
A similar limitation would affect any other browser whose developer wasn’t in
on the patent pool or paying royalties to it.

Google also threatened to pull H.264 support from Chrome for a while,
reportedly because of concerns over the licensing costs.

Anyone _distributing_ video encoded using H.264 also needs to be mindful of
the licensing rules. Although small scale and non-commercial uses typically
don’t require royalty payments under the current rules, there is a legal
minefield here for anyone operating a larger business who might be affected.
This is a significant concern in itself given that some major browsers _only_
support H.264 for HTML5 video.

Beyond the patent issues, we also have the issue that H.264 comes in many
flavours, and support for those isn’t standardised across browsers and
platforms either. Unless you’re only talking about the least common
denominator, it’s not really sufficient to refer to H.264 support; you need to
know which specific variations are supported on any given browser, OS and
hardware in order to serve video with the best possible quality and
efficiency. Finding that information is not straightforward, even if you have
the resources to then encode in many different variations once you know.

Looking at the above, it’s hard to see anywhere that the current situation is
actually better than what we had for a long time with plugin-based players,
except on newer systems that don’t support those plugins. Which brings us to…

 _Well you can 't rely on Flash being available anyways. It's not available at
all on mobile._

Of course you can’t rely on it _now_ , but that is mostly an artificial
limitation imposed first by the mobile browser developers and subsequently by
Adobe themselves in response. A Flash player was available on Android for a
long time, and Microsoft were reportedly keen to see a version running on
Windows Phone as well.

What we’re really talking about here is Apple starting the ball rolling by
refusing to allow plugins on iOS, for reasons we may or may not believe are
what Apple publicly claimed at the time. Considering that there have been
numerous significant problems with Apple’s support for HTML5 video on iOS
devices — not least relying on the infamous AppleCoreMedia to handle that
content instead of the browser itself for a very long time, causing all sorts
of functionality to break — and that Apple’s policies prevent any other
browser on iOS from doing better, I have always found their stance on this
rather hypocritical.

~~~
bobajeff
Sure, BlackBerry and Windows Phone could've maintained Adobe's support for
their platforms. But that would've been expensive, a poor user experience
(like Android's version) and depend entirely on Adobe continuing to allow
access to their source code and distribution of the flash player.

No matter who you want blame however doesn't change the fact the Flash isn't
ubiquitous. It's ubiquity always depended on a single vendor supporting it on
every platform.

------
_jomo
I don't have Flash installed at all anymore and it works quite well. For the
few sites that don't work without Flash these days, I either don't care or use
youtube-dl -g [0] or livestreamer [1] and open the direct video link in
Browser or VLC.

Twitch is one of the popular sites that don't have a working HTML5 player for
the masses (it does work without Flash using the methods above). There's
Beam.pro which has some interesting approaches to live streaming with HTML5
[2]. The only thing I haven't found a great solution for are the big Music
streaming sites, which all rely on Flash (the others shut down). Some people
told me Google Play Music may or may not work with HTML5 but I haven't tried
that yet.

Also, a great number of websites will ask you to turn on Flash when installed
but deactivated and only use the HTML5 player when it's not actually
installed. I guess it's a design flaw that Browsers report disabled or click-
to-play plugins to websites.

0: [http://rg3.github.io/youtube-dl/](http://rg3.github.io/youtube-dl/)

1: [http://docs.livestreamer.io/](http://docs.livestreamer.io/)

2: [https://forums.beam.pro/topic/168/where-we-re-at-with-
html5-...](https://forums.beam.pro/topic/168/where-we-re-at-with-html5-video)

~~~
simcop2387
At least with pandora, there's a few clients out there that can work outside
of a browser. I usually use Pithos[1] or Hermes[2], no idea about the others.

[1] [http://pithos.github.io/](http://pithos.github.io/) [2]
[http://hermesapp.org/](http://hermesapp.org/)

~~~
Miner49er
My personal favorite is pianobar:
[https://6xq.net/pianobar/](https://6xq.net/pianobar/). It's a CLI client.

------
rcconf
If you Google 'top facebook games', and you browse to each one, you will find
a majority of them use Flash. Here are a few of them:

\- Candy Crush (50,000,000+ monthly users)

\- Dragon City (10,000,000+ monthly users)

\- Criminal Case (10,000,000+ monthly users)

\- Angry Bird Friends (1,000,000+ monthly users)

I'm currently working on a Flash game with a large player base. Firefox's
suggestion of adopting HTML technologies is not simple when the game is 9
years old! I think many Facebook games are going to run into a similar issue.

It's getting scary now tho, it seems like Firefox and Chrome are aggressively
trying to get rid of the usage of Flash. We've essentially decided that we're
going to convert this 9 year old game to C++ (via Emscripten) in the next
year. Good luck to everyone else who is going through the same thing as we
are.

~~~
bobajeff
I think it should be up to Adobe to come up with a solution here. Something
like an Adobe AIR for the web.

~~~
pc2g4d
I really don't understand why they haven't stepped up with a Flash-to-HTML5
converter as part of the Flash/Animate application. It would ensure the
continued relevance of those tools.

~~~
joecool1029
I also don't understand why Google killed off Swiffy as a easy conversion tool
for simple flash animations/ads.

[https://developers.google.com/swiffy/](https://developers.google.com/swiffy/)

------
rcthompson
> We categorized SWFs as fingerprinting SWFs if they were smaller than 5x5
> pixels

Coming soon: 6x6 fingerprinting/tracking SWFs?

------
verisimilitude
It is interesting to contrast this discussion today with the discussion Jobs'
"Thoughts on Flash" spurred 6 years ago:
[https://news.ycombinator.com/item?id=1304310](https://news.ycombinator.com/item?id=1304310)

~~~
SG-
Flash has also dramatically increased it's performances since those times
because of how pathetic things were.

------
white-flame
> Over the past few years, Firefox has implemented Web APIs to replace
> functionality that was formerly provided only by plugins. This includes ...
> fast 2D and 3D graphics

Just a friendly reminder that the 2D graphics functionality of Flash is still
not replaced for a massive chunk of graphics and games built with a vector-
based visual style.

Canvas 2D vector graphics still do not properly antialias adjacent edges
(shows garish seams and unexpected transparencies), whereas Flash would render
them properly and with high quality.

------
ars
Any plan to reduce/remove flash needs to address the HUGE amount of small
flash based web games. Just look for online playable games for kids and you'll
see how many there.

"Websites that currently use Flash or Silverlight for video or games should
plan on adopting HTML technologies as soon as possible."

This is utterly unrealistic, these games are 10 or more years old sometimes,
and still played in large numbers, with no money available for the developer
to rewrite them.

Only an automatic transpiler of some kind has any chance here.

~~~
Sylos
The problem is that this is not easy at all. Mozilla had a project which tried
to do pretty much exactly that, called Shumway [0], and development has been
going on for a few years, but they didn't really get anywhere useful in all
that time.

[0]:[https://mozilla.github.io/shumway/](https://mozilla.github.io/shumway/)

~~~
spriggan3
Unfortunately without the help of Adobe itself, this project is DOA. It won't
run most flash content out there. Flash content HAS to be specifically
designed to run on shumway. Adobe should have open sourced flash years ago, it
didn't. Well at least that's a lesson for developers, don't use proprietary
techs on the web.

------
nix0n
Now that HTML5 is gradually replacing Flash, has anyone seen a good Flashblock
replacement for blocking HTML5?

~~~
Nadya
Block all Canvas, Audio and Video elements?

~~~
Grue3
Don't forget shit like WebRTC that's impossible to turn off and known to leak
certain private information (such as internal IPs).

~~~
cpeterso
Here is a Firefox add-on to disable WebRTC:

[https://addons.mozilla.org/firefox/addon/happy-bonobo-
disabl...](https://addons.mozilla.org/firefox/addon/happy-bonobo-disable-
webrtc/)

The source code is on GitHub:

[https://github.com/ChrisAntaki/disable-webrtc-
firefox](https://github.com/ChrisAntaki/disable-webrtc-firefox)

~~~
ComodoHacker
All it does is set media.peerconnection.enabled to false. Looks like it's not
enough, since WebTorrent[1] is working somehow anyway.

[1] [https://webtorrent.io/](https://webtorrent.io/)

~~~
Sylos
Do you get more than one peer? I seem to get only one when I disable
media.peerconnection.enabled and I assume that one peer is just the server
streaming the video directly.

~~~
ComodoHacker
Yes, it falls back to web seed. I've got explanation from devs.

------
supergreg
The only use for Flash I have these days is for streaming sites like Twitch.
Once that's tackled, I'll be more than happy to remove the plugin.

That said, it used to be easy to block annoying stuff by having Flash enabled
on demand.

~~~
sp332
Does Twitch just not work on Safari?

~~~
duskwuff
Twitch uses native HLS playback in Safari. This isn't available in other
browsers (yet).

~~~
spikengineer
Chrome and Firefox never plan to support HLS. They only want customers to use
HTML5-DASH.

~~~
cpeterso
And for websites that have existing HLS content or workflows they would like
to use with desktop browsers, they should check out solutions like
Dailymotion's HLS.js polyfill. It tunnels HLS streams into the MSE API (used
by DASH) available in Chrome, Firefox, IE/Edge, and Safari. Mozilla works
closely with the HLS.js developers to help debug compatibility issues and
regressions in Firefox or HLS.js.

[http://engineering.dailymotion.com/introducing-hls-
js/](http://engineering.dailymotion.com/introducing-hls-js/)

------
jlebar
I know this is unimportant, but I have to say, I strongly dislike this green
trendline that they have fitted to the graph.

It clearly does not fit. The graph flattened out at Jul 2015.

------
amelius
I really wonder if one day (perhaps in a distant future) HTML will end up on a
graveyard, just like Flash, and what we can do now to make this event less
painful.

------
Animats
Mozilla needs to do outreach to the porno industry to get them to convert.

~~~
SG-
The mobile browsers (iPhone) have already caused them all to move to it long
ago. They're further ahead of the BBC that still insists on Flash video.

------
codazoda
Good. They're going slow, starting with fingerprinting and supercookies, which
is nice for users. I welcome the end of Flash.

I personally killed flash from Chrome about a year ago. I've seen a few sites
that use it, which I just leave, but I haven't seen anything I can't live
without.

~~~
ComodoHacker
>starting with fingerprinting and supercookies

It's strange they weren't mentioned in the blog post. Only the third class of
blocked content, viewability test, is mentioned.

------
ComodoHacker
>The criteria for adding content to the blocklist are:

>* Blocking the content will not be noticeable to the Firefox user.

>* It is possible to reimplement the basic functionality of the content in
HTML without Flash.

There are three classes of content in the block list: Fingerprinting,
Supercookie and Viewability. While I'm heard of various fingerprinting
techniques besides Flash, I'm curious how "to reimplement without Flash the
basic functionality" of supercookies, given its main feature is persistence
despite of user's effort.

------
ivanhoe
I had it disabled in Chrome for the last 6 months or so, and very rarely
needed to temporarily re-enable it, like maybe twice in all that time. And
even that is not a big deal, you just go to chrome://plugins and switch it on
and back off later, it takes 2-3 clicks to do it.

------
Endy
That's funny. I guess there's a reason why I'm being forced into using old
browsers rather than supporting any of the rabid anti-Flash nonsense. Then
again, I'm anti HTML5 & WebDRM (now under the more innocuous title of EME)

------
nfriedly
I don't install flash these days. I usually browse in Firefox and don't really
miss it. On the occasions when I do need flash for something, I'll fire up
Chrome because it has flash built in.

------
bobajeff
I think Chrome's propsal to whitelist the top ten domains and block all the
other sites by default would be more effective at curving the web's dependency
on flash.

Edit: Turns out Firefox is planning on blocking all sites by default. So
Firefox's approach looks more promising.

~~~
ocdtrekkie
I disagree heavily. Because Chrome's proposal is essentially an elitist focus
on assuming the top ten sites are the only sites worthy of using terrible
code. It's unsurprising Google favors this strategy: Google will always end up
in that top ten list. (And surprisingly, a lot of Google websites fallback on
Adobe Flash still. Play Music doesn't work on Firefox without it.)

YouTube is no more worthy of using Adobe Flash than my personal website. They
should be treated the same. If we are to disincentivize Flash, it should be
disincentivized equally across the board.

~~~
sqeaky
If any browser were to act against and "disincentivized equally across the
board" by doing something like blocking it entirely that would simply be a
browser people who wanted flash content would use less.

Some people want flash, probably because they are oblivious to security
concerns or simply don't care about standards and progress. These are the
people we must convince. Letting them have what they "must" have while
chipping away at the problem is something that might work here and now. Likely
these people wouldn't even realized the browser was doing it in this case and
would blame the sites for having broken flash. Despite seeming morally grey or
deceptive, it could work and might not punish the browser doing it.

~~~
ocdtrekkie
The funny thing is, this change would convince me to install the Flash plugin
for Firefox. I've long used a different browser if I needed Flash because I
didn't want the separate dependency to update that has a lot of security
flaws. (Since IE/Edge and Chrome include and auto-update it). Now, I can
safely install Flash on my Firefox, and know that it won't affect anything
unless I explicitly permit it.

I am generally against browsers acting against user desires for compatibility.
(And specifically, backwards compatibility, which the web should strive to
be.) I would argue that blocking Flash is an antifeature, but providing a
security gate, like not running it by default, is a security feature.

~~~
azdle
You can actually get that now. Firefox lets you set plugins to "Ask to
Activate" and as far as I can tell it uses some logic like the article talks
about foe whether it notifies you to activate or not. I've had it set to that
and I only seem to get popups when there's a giant main video or I click a
button on the page that tries to use flash for something.

------
fulafel
It's crazy that the perpetual security disaster hasn't been enough to disable
Flash so far. (Goes for Chrome too, but at least they have reasonable
sandboxing for it)

~~~
dredmorbius
Keep this in mind should you ever be inclined to consider a security-based
start-up.

People simply don't care.

