Connect with us

Hi, what are you looking for?



Chrome to Deprecate Flash in Favor of HTML5

Google is planning to block Adobe Flash and implement an ‘HTML5 by Default’ policy on Chrome by the end of 2016. The intention is to use HTML5 automatically, and force users to explicitly accept the use of Flash only where there is no other choice.

Google is planning to block Adobe Flash and implement an ‘HTML5 by Default’ policy on Chrome by the end of 2016. The intention is to use HTML5 automatically, and force users to explicitly accept the use of Flash only where there is no other choice.

It’s been coming. The end was almost inevitable once Steve Jobs Announced that Apple would not allow Flash on iOS back in 2010. Two years later Adobe announced there would be no certified implementations of Flash on Android 4.1. For the desktop, Amazon ceased accepting Flash advertisements in September 2015. Google will do the same for AdWords and DoubleClick from the end of June 2016.

Now Chrome developers have put forward a proposal to promote HTML5 above Flash in Chrome on desktops. Anthony Laforge, technical program manager at Google (Chrome), announced last week the intention to allow Flash execution only “if the user has indicated that the domain should execute Flash.” The target for implementation of this proposal is Q4, 2016.

Flash will still be included with Chrome, but it currently seems there will be little granularity in choices for the user. If a visited site requires Flash, the user will be given the option to accept Flash for that site. Chrome will then add the site to a whitelist for future visits. 

“To reduce the initial user impact, and avoid over-prompting,” wrote LaForge, “Chrome will introduce this feature with a temporary whitelist of the current top Flash sites.” The whitelist includes companies such as YouTube, Facebook, Twitch and Amazon; although this may change over time. “This whitelist will expire after one year, and will be periodically revisited throughout the year, to remove sites whose usage no longer warrants an exception.”

Two immediate concerns from users commenting on the LaForge proposal concern the lack of granularity in user choice, and concern for the future of the gaming industry. 

On the former, one commenter to the LaForge proposal wrote, “I would want Chrome to be able to understand, verify and present to the user information on the status of a code signed SWF file before passing it to the plugin.” As an example, he would like to be able to base his subsequent action on being able to distinguish between a Yahoo Flash signed by Yahoo, and one signed by Adobe. “If I want to trust only flash code signed by which is served by and reject code signed by, and unsigned flash then I should be able to do so.”

The future of Flash is particularly important to Flash gaming companies. One indie game developer commented, “Our codebase is huge, so moving to another technology would impact us (and other Flash based game companies alike) heavily. And what I would really appreciate is if our own discrete internal decisions would not be forced by Google or other companies that think they know best for everyone.”

Advertisement. Scroll to continue reading.

The security industry, however, is likely to be uniformly in favor of Google’s intentions. The most recent Flash zero-day exploit was patched just last week. 

In a special note titled ‘Flash: The Last of the Low-Hanging Fruit’ in F-Secure’s Threat Report 2015 published last month, security advisor Sean Sullivan wrote, “It’s at this point that I’ll make the following prediction for early 2017 – once it no longer needs to support Flash-based ads – the Google Chrome browser will start aggressively forcing users to whitelist sites that require any sort of Flash. Mozilla’s Firefox and Microsoft Edge will do the same, and by spring of 2017. Flash will be effectively decapitated as far as exploit kits are concerned.”

Today he told SecurityWeek, “It seems that Google is aiming for Q4 2016 rather than Q1 2017 as I predicted. Good for Google.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.