New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: WontFix
Owner: ----
Closed: Mar 2017
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security

Sign in to add a comment

Security: Execution of Flash despite setting set to "Ask first"

Reported by, Mar 7 2017

Issue description

When opening a website with a native Flash embed (example:, the Flash content is run automatically, even when the browser preferences set the Flash execution setting to "Ask first," and the website is not listed among the exceptions.

Chrome Version: Version 56.0.2924.87 (64-bit) + stable
Operating System: macOS 10.12.3 (16D32)

Set the Flash execution setting to the preference mentioned above, and then visit "". It will run Flash automatically rather than asking for user confirmation.

I should note that the browser does not even signal in any way that the website contains Flash content.
Components: Internals>Permissions
Labels: Needs-Feedback
I haven't been able to reproduce this on either Windows or Mac, using either Stable or Canary.

Can you please try updating to the current stable build (Chrome 57) and see whether or not you can still reproduce the issue? If you use a Guest profile, does the issue continue to occur? Can you attach a screenshot of your chrome://settings/contentExceptions#plugins window?


Comment 3 by, Mar 10 2017

Hi, I have been able to reproduce the issue with the current build. It appears to only work on the current version of macOS Sierra, though, because coworkers on Sierra have the same issue, but those on Yosemite do not.

New Chrome version: 57.0.2987.98 (64-bit)
macOS Version: 10.12.3 (16D32)

Attached are screenshots of my Flash content settings and the exceptions.

I have Guest profiles disabled, but the issue persists across all profiles and incognito mode.
Screen Shot 2017-03-10 at 2.09.03 PM.png
145 KB View Download
Screen Shot 2017-03-10 at 2.09.16 PM.png
63.8 KB View Download
Project Member

Comment 4 by, Mar 10 2017

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "" to the cc list and removing "Needs-Feedback" label.

For more details visit - Your friendly Sheriffbot
dominickn@: Do you know who might have better suggestions for debugging this? I can't get a repro locally.
Components: Internals>Plugins>Flash
Owner: ----
+cc other Flash folks. I also can't get a local repro, but it might be the corp profile interfering.

Comment 7 by, Mar 10 2017

I should note that I am only experiencing this issue on the website mentioned above, where it's directly embedded. On other websites, where it's not a top-level embed, I do get a Flash execution prompt.

On the website mentioned above, though, as you will notice in the attached screenshot, there is no indication whatsoever of Flash being run.
Screen Shot 2017-03-10 at 3.49.56 PM.png
62.2 KB View Download

Comment 8 by, Mar 10 2017

no repro on chrome M56.0.2924.87 (64bit, no corp policy - clean win10 install).

I wonder what the site-engagement score is though for that site. if it is high enough (chrome://site-engagement will tell you) - Flash will be allowed even if set to ASK.

NOTE: at this time "high enough" is site-engagement > 4.

Comment 9 by, Mar 10 2017

The site engagement score is 12.49.
Status: WontFix (was: Unconfirmed)
This appears to be working as intended (i.e. when the site engagement score exceeds the minimum threshold the content will be allowed to run).
Project Member

Comment 11 by, Jun 17 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Sign in to add a comment