Chrome's flash component loads user's out-dated version of system flash vs PepperFlash during the initial 6 minute launch window
Reported by
ahuss...@cainc.com,
Jun 6 2017
|
||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Steps to reproduce the problem: 1. Install an out-dated version of system flash on your machine (windows or chrome) 2. Install new version of Chrome (or open Chrome for the first time on a new user profile) 3. Launch Chrome for the first time and attempt to access flash content for the first time What is the expected behavior? I expect the Chrome's flash component loader do a JIT load of the latest version of PepperFlash, and to ignore the out-dated version of System Flash that is installed on the users machine. What went wrong? The problem is persists within the first 6 minutes when Chrome stalls on loading the flash component unless its needed. For 6-7 minutes users are blocked from accessing flash content and they see a banner saying its blocked by because its out-dated. (see photo) This is a not an HBD issue -- flash is allowed to run on this site via a group policy setting. Upon checking chrome://flash, it shows the outdated system flash version (same for navigator.plugins). Also, upon checking chrome://components, the version is still 0.0.0.0 for Chrome’s internal PepperFlash because it has not loaded yet (see photos). The issue persists for 6-7 minutes, and when the user refreshes after that time period, Chrome then loads in PepperFlash instead and chrome://flash, chrome://components, and navigator.plugins all show the updated PepperFlash component. The banner which says flash is outdated and blocked also goes away and the user can access flash content. Did this work before? N/A Does this work in other browsers? Yes Chrome version: 58.0.3029.110 Channel: stable OS Version: OS X 10.12.0 Flash Version: any out-dated version of system flash At any point during the 6-7 minutes, clicking on 'Check for Updates' under the Adobe flash component loads in PepperFlash immediately. Also, uninstalling system flash during this window, also removes the banner and let's PepperFlash load via its JIT mechanism.
,
Jun 7 2017
,
Jun 7 2017
,
Jun 7 2017
,
Jun 16 2017
Any movement on this issue -- we are an edu-tech with some legacy flash content that we are actively phasing out. We have some large districts which are affected by this issue because schools wipe their machines regularly, or kids a different computer in the lab everyday. We would love to know if this is ever going to be resolved. Thanks so much! Amal
,
Jun 16 2017
Is there a the reason the admins don't either?: • uninstall system flash (if using component flash is OK) • keep system flash up-to-date (I get that you're in a tough spot to make that recommendation if you own the content but aren't administrators of the client machines.) Will, I think this is as simple as calling PluginFinder->GetPluginMetadata->GetSecurityStatus in GetSystemPepperFlash, does that sound right to you? I'm not too familiar with the plugin_win.json code.
,
Jun 16 2017
That is exactly the message we are giving them -- and our support engineers are working diligently on this. However, our many of our affected customers are really large public school districts with really limited resources. So, its really challenging getting a quick turn around, or make changes mid-school year, etc. Also, to be clear this is also a problem on OSX -- it affects any first time launch of Chrome on Windows or OSX.
,
Jun 16 2017
re: #6 you mean just ignore system flash if out of date, which would force an earlier on-demand download of component flash? perhaps another solution would be to trigger an on demand component update of flash if this banner ever shows.
,
Jun 16 2017
re: #8 yes, that's what I mean. The other solution seems like it would also work (though I don't know the details), do you prefer pursuing that?
,
Jun 16 2017
so the logic would be iff: - version of component updater is 0.0.0.0 (i.e. has never been downloaded) - system flash is considered "out of date" [1] then ignore system flash and pull component update. I don't think it's as simple as returning false from GetSystemPepperFlash in the case that system is "out of date", because if all candidate flash installations are "out of date" we still want to use the highest version and display the banner. [1] the version of Flash is lower than the minimum 'secure' version in the plugins json file - e.g. https://cs.chromium.org/chromium/src/chrome/browser/resources/plugin_metadata/plugins_win.json
,
Jun 16 2017
re # 10 -- that logic makes the more sense and those are the correct values for when this manifests. The component updater is 0.0.0.0 and it uses the out dated version of system flash instead. I'm not sure how bug fixes to the component updater logic are distributed, would it be retro fitted for all versions of Chrome, or just newer versions moving forward? Thanks for getting on this guys.
,
Jun 16 2017
Any fix we land for this would only be for newer versions moving forward. If the change is simple enough we could try to merge it to Chrome 60 so that it's in Chrome stable-channel before the start of the next academic year. If you have teachers / students trying to work around this in the short term, one thing you can tell them to do is: • Navigate to chrome://components. • Click "Check for Update" under "Adobe Flash Player". (This will short-circuit that 6-minute period and unblock the user but is not a good long-term solution.) That's a good point about being conditional on the component update version. I think we can strengthen the logic to: """ If and only if: • system flash is considered "out of date" [1] • and no other non-0 Flash is present (command line or component) Ignore system flash (and therefore register fake flash). """
,
Jun 16 2017
Awesome -- and that the exact workaround we are letting them know about. Getting this is Chrome 60 would be really great -- September is our big back to school rush, so its ideal timing. Our students are in 45 computer labs so 6-7 lost debugging is a large percentage away from their lesson time. Let me know if there is anything else I can do, or you guys need any other info. Thanks again for the quick response. Amal
,
Jun 16 2017
For those watching this thread. I wouldn't advise waiting on a solution from Chrome. It's entirely possible that we won't be able to get this change into Chrome 60 (August release). Regardless, the best technical recommendation would be to uninstall the system instance of Flash Player and rely exclusively on the component updater to keep Flash Player up to date, especially since it was built to seamlessly handle the new install case (i.e. if Flash Player isn't present it fetches it the first time Flash content is accessed, without any interruption of user prompt - invisibly - the initial load just looks like it takes a little longer). There are a sufficient number of regular Flash updates (potentially more than monthly), that make it somewhat impractical for a limited support staff to maintain. Having a stronger rational for why this mixed use case is necessary would be helpful, as it stands it's not clear why that configuration would be desirable (i.e. it seems to take all the disadvantages of both solutions w/ out the benefits).
,
Jun 16 2017
In our case, we tell our users to uninstall system flash because if they are using Chrome as a primary browser, its embedded and there is no need for it. However, they use their computers for many different applications, and sometimes they need system flash for some random software they use on I.E for instance. We are educating them about the importance of agreeing to auto updates of system flash if they have it installed -- but again we dealing with 10,000s of machines per district sometimes and IT admins with very different levels of bandwidth, skill, and available resources. That said, Chrome is our recommended browser, and we ask they use the group policy setting to allow flash to alway run for our domain. We do not ask them to download system flash when using Chrome.
,
Jun 16 2017
This is perhaps a fine point, but it's worth pointing out that system-wide Flash is installed separately for Chrome versus other browsers (IE, Firefox), because Chrome relies on the PPAPI version of Flash, while other browsers rely on the NPAPI version of Flash. i.e. you can see from https://get.adobe.com/flashplayer/otherversions/ that when installing Flash you have to pick one version or the other, and I believe (though this would be good to double-check) that the two installs are managed separately in Windows (i.e. PPAPI can be (un)installed without NPAPI being (un)installed - they show up as different programs in Add/Remove Programs).
,
Jun 16 2017
Right -- thats a good point. We can make sure that they remove the version of system flash which targets Chrome. Agreed!
,
Jul 27 2017
Hi. Is there a plan to load the updated internal flash version when outdated system flash is detected(before the 6 minute mark)?
,
Jul 31 2017
Thanks for checking. Our recommendation would be for administrators to use either system level installs or component updates, but not both. The desired behavior (i.e. in-line dynamic fetch) can be obtained by using the component updater exclusively. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ahuss...@cainc.com
, Jun 6 201724.0 KB
24.0 KB View Download
63.2 KB
63.2 KB View Download
107 KB
107 KB View Download