Browser-laptop: Consider removing the 'Enable Flash' setting

Created on 20 Jan 2017 · 11Comments · Source: brave/browser-laptop

This doc describes the Flash behavior prior to 0.13.x: https://github.com/brave/browser-laptop/wiki/Flash-Support-Deprecation-Proposal

Currently, to run Flash on a fresh install of Brave, you have to:

download Pepper Flash from https://get.adobe.com/flashplayer/ (it's not bundled with Brave)
go to about:preferences#security and toggle the switch to enable Flash
right-click to play Flash on any page that requires it. permission is granted on a per-origin basis.
after a week at most, Flash approvals on the origin expire. the user must re-enable via click-to-play before Flash will run again.

This issue is to discuss getting rid of Step 2 as a requirement for running Flash.

Current UX: if you install Flash but don't enable it in Preferences, you should see a Flash placeholder that says 'Plugin not supported' on sites that use Flash. it is not possible to run Flash until you enable it in Preferences.

Proposed new UX: if the Pepper Flash binary is installed, you should see a Flash placeholder that says 'Right click to run Flash' on sites that require Flash. Right-clicking and choosing 'Allow' will run Flash, no additional steps are needed. If you do not wish to run Flash ever, you can either uninstall Flash or never right-click on a Flash placeholder.

Downsides of removing step 2:

If you install Flash and later decide you don't want to run it in Brave anymore because it's too insecure, you could unintentionally end up right-clicking to allow Flash. Ex: social engineering or by clicking the wrong thing on accident. You can prevent this by uninstalling Flash though.
Users who forgot or don't realize they have Flash installed may be surprised to see that Flash is runnable on any page with one click.
For users who have Flash set to 'disabled', they may assume we auto-downgraded their security by essentially changing the setting to the equivalent of 'enabled' in a Brave update.
We lose some amount of defense in depth. Ex: users can be clickjacked, or maybe we have a bug allowing some kind of Z-order takeover with event pass through.

Upsides:

Reduces friction to getting Flash working, which is a good thing from a growth and usability perspective (but not from a Flash deprecation perspective).
To first order, 'Click to play' is off by default, given that the Flash binary is never actually loaded until Flash actually runs on a page.

plugiflash

Source

diracdeltas

Most helpful comment

@richfelker I don't think we want to make it difficult for users to enable flash. In my opinion the objective should be to promote alternatives to Flash and ensure that Flash only runs with explicit user permission

bridiver on 20 Jan 2017

👍6

All 11 comments

cc @bbondy @BrendanEich @bridiver

diracdeltas on 20 Jan 2017

I prefer leaving it how it is or making it even more difficult to enable flash.

richfelker on 20 Jan 2017

👍1

bridiver on 20 Jan 2017

👍6

bradleyrichter on 20 Jan 2017

👍2

How about keeping the option within the preferences but setting it on by default? This would allow people to disable Flash if they wish, while still providinh the desired new UX.

DivineOmega on 20 Jan 2017

👍1

^ would probably solve many of the current issues users have with the 2-step

bradleyrichter on 20 Jan 2017

I worry that @DivineOmega's idea will cause people to ask us why Flash is "enabled" by default. Though we could avoid that by changing the switch to "Never show option to run Flash"

diracdeltas on 20 Jan 2017

I think we should have flash off by default, with explicit permission to allow as @bridiver mentioned above.

I also echo the concern from @diracdeltas - and remember seeing a few negative/concerned responses when optional flash support was introduced. I think the negatives of enabling flash by default outweigh the positives.

For the image @bradleyrichter added above, maybe it would be wise to include a link to a page that users could go to, listing the reasons _why_ flash is risky. If we're talking wide user adoption, there's a good chance that users doesn't understand what the problems with flash are.

Granting explicit permission case-by-case, encouraging better alternatives and providing an opportunity for educating users (and publishers that are still using flash) about the risks seems like an appropriate compromise.

lukemulks on 20 Jan 2017

Current UX: if you install Flash but don't enable it in Preferences, you should see a Flash placeholder that says 'Plugin not supported' on sites that use Flash. it is not possible to run Flash until you enable it in Preferences.

Instead of "Plugin not supported" maybe we could change the placeholder to "Flash is disabled. To enable it, please visit Preferences" with a link to the Flash preference page. This would keep enabling Flash in Brave an intentional process and also help users figure out how to do it.

ayumi on 20 Jan 2017

👍3

@ayumi I think we are most of the way there already:

bradleyrichter on 20 Jan 2017

🎉1 👍1

I'll say it again: defense in depth is not about point-defense or known threats. Elevators have multiple cables, spring-tensioned grips or wedges that are "off safe" only when there's cable tension, etc. The multiplication principle makes the odds of multiple independent failures tiny.

I wish Flash were an elevator, so I could reason about its risks more precisely (or just take all off-safe and blow the cable house :-/).

Meanwhile, big browsers keep boasting they're killing Flash. It looks like not soon enough.

Now that #6739 is fixed, I advise we wait on doing anything with this bug until after both laptop 1.0, and after we have better evidence (with that issue fixed) that the global pref is truly bouncing users off of Brave as they try to adopt us.

I doubt that on general principles, while acknowledging that the global pref is a hardship.

Another advantage of waiting: the bigs may finally follow through and kill Flash for real.