Add Flash support via extra user approval #1093
Comments
I think you meant can't be turned off?
we actually have two community-created wiki pages for this: https://github.com/brave/browser-laptop/wiki/Non-Supported-Video-Sites and https://github.com/brave/browser-laptop/wiki/Flash-But-not-Video-sites. might be good to combine them and use that for flash whitelist tracking. |
Yep. I think when writing it I meant Flash can't be turned on without it. But ya, as you said is what I mean.
Agree but until someone else has time to combine them and review the comments in the Flash issue and combine that, I'm leaving that other bug open for now. This bug will only be about the implementation. |
|
@diracdeltas I created the secondary page, based on a request perhaps from @BrendanEich , but if it makes things more efficient, I support combining. |
|
@weems could you combine them and mark which ones are video sites? thanks. |
|
I can understand the support for html5 and flash being all clustered and all. I highly doubt anyone has time in their life, creating a github account just for posting one single website and then wait several days until it gets whitelisted. |
|
I do see your point @64py but Flash is dying and part of our job is to help it die and whitelist where there is no alternative. Flash comes with stability and frequent security problems. We should avoid burdening users with whitelist mgmt when possible. |
|
Will flash be packaged like in Chrome (is it allowed)? I don't have flash installed on my system and don't want to. I'm using Firefox and usually sites work fine and give me the html5 version since there's no flash support detected. Being able to use Flash in Brave without having to compromise my system would be super cool. |
|
I am on the latest Public Beta release and if I go to the BBC News Web page for "Video Top Stories": every single story/video shows me a "You need to install Flash Player to play this content" popup. Very annoying, especially since I think you guys have Chrome bits under the hood that can probably use the Pepper Flash plug-in? I'm all for Flash dying but for God's sake, when one of the biggest sites in the world still has Flash videos at least give us an option to enable it if we like ... |
Yes, @RiotNrrrd, that's why this issue is posted and open. |
|
Thanks for being open to discussing it. |
|
By the way this is currently in 0.9 milestone, so it is high on the priority list and happening soon. |
|
Forgot to add another high-profile site still using Flash - |
|
Amazon prime music requires flash |
|
Not sure how much anyone has put into getting flash to function, I have the code but im not 100% sure how to share it without just posting it. I spent the better part of the last 12 hours working on it and well it should function with just about every OS. I still have to get the linux adapters and the windows flash adapters. But the code looks sound. Works with OS X. |
|
You could consider a gist ( https://gist.github.com/ ) or a pull request (fork this repo and do a pull request for changes). Or just add a comment with addingn 3 backticks before and after the code blocks. |
|
Ill add what i did to get it working this evening after work :). |
|
(Editing to be more on-topic.) As to user- vs. Brave-maintained whitelist: Many non-profits/companies use Adobe Connect for their meetings, and that's a Flash-based product that is often run in-house on a private network (for increased privacy). There's no way that a Brave-maintained whitelist could have private sites. Additionally, as you consider enabling Flash, consider that Adobe Connect relies on an unsandboxed Flash-plugin-invoked executable called the "Connect Addin" (downloaded from here on Mac and here on Win; not sure about linux). If you are going to enable with a whitelist, you probably want to distinguish whether the site is allowed to use the Flash plugin in an un-sandboxed mode. Disclaimer: I work for Adobe, so I use Connect a lot, as well as the Connect Addin. That doesn't mean I love the idea of an unsandboxed executable being launched by my browser, but for now it means I have to use something other than Brave to do so. (Both Safari and Chrome allow unsandboxing of the Flash plugin.) |
I'll agree with @RiotNrrrd. I don't think that is your call to make. At least not yet. The current need for you to whitelist some selective sites suggest that Flash isn't dead... And I take issue with only allowing your own personal favorites or only high profile sites. What about the small guy's ecommerce website still relying on a flash builder to build products and place orders. What the basis for censuring his flash app? This the sort of policy I'd expect from a Tor like browser. But if brave wants to target a wider audience. I have to say, as a user, I don't welcome this kind of selective censorship policy. Please let the user choose. |
|
the next links doesn't work normaly: http://ici.tou.tv/dans-l-oeil-du-dragon it's a good idea to not activate flash, but can we get the video link to be able to play it directly with an external tool like vlc or mplayer? |
|
Comedy Central videos also do not play: |
|
There was a proposal on Slack to add a This would be in addition to Flash being click-to-play on whitelisted sites. |
|
timeline wise, are we talking something like 30 days? |
|
@bbondy i was thinking ~1hr or on tab close, whichever happens first |
|
@diracdeltas if a site like spotify requires it shouldn't it be enabled until tab close, or else users will just be in the position of always clicking a button every hour because they want to keep listening to music. I know this is for security's sake, but I think users may not like having to click a button every hour to keep their music playing 😃 |
|
I suggested expiration on Slack, and tbh I was thinking more like 30 days. 1 hour seems too short since Flash may be exploited any time based on 0-days, but that's an argument for a short whitelist, not short expiration per se. Some of the sites listed above may not require Flash -- we found nfl.com videos were failing to play due to ad/tracker blocking. Selective shields-down testing may be required to prove it's Flash. Another thing to do: blocklist known-vulnerable plugins. I'd even be ok with uninstalling them from the user's system, with consent. With expiration, I see some hard cases:
In cases like these, almost any expiration will be a source of user annoyance. At the margin it will drive users away (for those sites; they may stick to us for other sites). A 30-day expiration might be tolerable, but anything shorter probably won't be. We're relying on Chrome for Flash and more: for market power to get sites to stop using it. This makes me want to be "less different" where risk is low, to neutralize. It's hard to assess the risk of Pandora or Armor Wars being compromised by a bad .swf, but it seems low. So I'd rather err on side of a longer default expiration, say 30 days. As a site-specific setting, a user could set it to Infinity and rely on our other Flash defenses. Expiration won't solve all problems. I thought of it as a way to hedge against risk of a patched-up, only for known-sites, double-attack of a rogue .swf getting on one of the sites combined with that swf exploiting a vulnerability not known to and resolved by Adobe, Google, and us. Maybe someone has a study of Flash vuln vs. patch history to help quantify. I don't know of one. My gut says the risk is low but non-zero so worth addressing, with something like a default expiration measured in many days. @diracdeltas WDYT? |
|
And if it is a zero day which functions on any Flash site, does it really matter how long you have flash running if it only takes one vulnerable site running for long enough to connect with a target to infect? :/ |
|
@weems Indeed, expiration can't protect against targeted 0day. It just keeps the whitelist shrinking over time to the minimum global list, which we can reduce to zero in concert with Chrome. Expiration simply reduces the odds of a bad day for a user who whitelisted a site, and then later the.swf or the whole site was corrupted -- possibly much later due to domain lapse, server compromise, etc. |
|
@BrendanEich maybe it's a pipe dream but I'm hoping sites will switch to Complete HTML5 from Flash once Flash is totally disabled in a future version of Chrome. Odds are they'll just say use FF or IE. We heard the same answers when JRE NPAPI Plugin was Deprecated in Chrome: "just switch browsers". |
|
Would it be possible to mix the "click to play" with a classic Antivirus |
|
After some discussion on Slack and clarification with Chrome on their Flash plans, here's the latest proposal: https://github.com/brave/browser-laptop/wiki/Flash-Support-Proposal Notable differences: no preloaded Brave-maintained whitelist, no Flash settings in the Bravery panel. |
bbondy
changed the title
|
Hey all, repping college students here who are tired of Chrome, Firefox, Safari, and IE: many Online Web-based Learning (OWL) platforms like https://owl.oit.umass.edu/ still use flash. Appreciate what everyone at the Brave team is doing.
|
|
Closing this in favor of #2279. 0.10.4 has experimental Flash support in the sense that you have to enable Flash integration in about:preferences and click through a banner to allow on a site. However, the banner only appears on sites that try to redirect you to the Adobe installer, like pandora and myspace. |
i) Add support for the ability to use Flash but disable it everywhere.
ii) We own / maintain the list of Flash allowed sites.
iii) Do not allow users to whitelist on their own, it has to go through our bug tracking and we can try for html5 fixes first and only use this as a last resort.
iv) Click to play is always on and can't be turned off. And it only applies to sites which are whitelisted.
Implementation should be another data file like adblock, tp, and https-e
The text was updated successfully, but these errors were encountered: