New issue
Advanced search Search tips

Issue 760189 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner: ----
Closed: Aug 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Regression



Sign in to add a comment

Moderately sized cross-domain Flash does not run, even with domains in allow list

Reported by jer...@duckware.com, Aug 29 2017

Issue description

UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36

Steps to reproduce the problem:
Test case (using Adobe's 'about' SWF) -- all flash plugins are sized to 390 x 290.

1. Visit https://www.duckware.com/flash/du.html, and 'click to run' and select 'allow'
2. Visit https://www.vsynctester.com/flash/vs.html, and 'click to run' and select 'allow'
3. Exit and re-run Chrome
4. Confirm chrome://settings/content/flash allow list is: (1) https://www.duckware.com:443, (2) https://www.vsynctester.com:443
5. Visit https://www.duckware.com/flash/du.html and flash works/runs with no interactions
6. Visit https://www.vsynctester.com/flash/vs.html and flash works/runs with no interactions

But visit https://www.duckware.com/flash/vs.html (same vs.html as on vsynctester.com) and flash plugin is not running, even though user intent is that it should be run with no user interactions (both duckware.com and vsynctester.com are in allow list).

What is the expected behavior?
The flash plugin should run

What went wrong?
Flash plugin is being blocked

Did this work before? Yes 

Chrome version: 60.0.3112.113  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version:

 
Components: Internals>Plugins>Flash
Status: WontFix (was: Unconfirmed)
(Copied from  Issue 759115 )

We started blocking cross-origin small form factor Flash Content (smaller than 300x400) starting in Chrome 53 (Sept 2016)[1].  In Chrome 59 (June 2017) we removed a case that allowed unsized/ hidden Flash content to run[2], followed by the cross origin changes in Chrome 60[3].

We are currently considering whether to add an Enterprise policy to allow administrators to permit tiny flash content to run w/ out prompting, which should help schools and make the guidance simpler (i.e., toggling one setting versus determining precise origins to add exceptions for).  Filed as  issue 760201 .

For applications targeting general consumers, my advice would be to make the Flash content > 300 by 400 pixels to avoid the secondary blocking.  Due to privacy and performance concerns, I don't foresee us revisiting that policy.


[1] - https://www.chromium.org/flash-roadmap#TOC-Plugin-Power-Savings-Mode---Tiny-Shipped:-Chrome-53---Sept-2016-
[2] - https://www.chromium.org/flash-roadmap#TOC-PPS-Tiny---Remove-Un-sized-0x0-or-hidden-content-Exceptions-Target:-Chrome-59---June-2017-
[3] - https://www.chromium.org/flash-roadmap#TOC-PPS-Tiny---No-Same-Origin-Exceptions-Target:-Chrome-60---Aug-2017-

Sign in to add a comment