Browser: Microsoft only leaves Facebook in the Flash whitelist in Edge


In fact, users of the Microsoft Edge browser must explicitly allow the reproduction of Flash content on Web pages, an operation that occurs through the so-called click-to-play. However, for selected pages, Edge used a white list that automatically allows Flash content. This will continue to be Facebook domains.

job market

  1. about duerenhoff GmbH, Munich area
  2. Social Services Psychiatry gGmbH, Vaterstetten

This stems from a bug report from Google's Project Zero security researchers. As a result, the researcher Ivan Fratric first examined the binary form of the whitelist and transferred it to a textual representation. Sometimes publicly available domains are sometimes very surprising and strange domains.

Fratric writes on Twitter: "So many pages that are completely taken aback because they are on it Like a hairdressing site in Spain ( ?! I wonder how the list was put together."In addition to the questionable content of the list, Frantic also indicates possible uncertainties arising from its use.

Attachable white list

An XSS vulnerability on one of the domains allows you to completely ignore click-to-play rules. In addition, Fratric found known XSS vulnerabilities on some whitelist domains. In addition, the whitelist does not impose the use of HTTPS, which could allow man-in-the-middle (MITM) attacks to bypass click-to-play rules.

According to Bugreport, Microsoft corrected the behavior of Fratric in the whitelist in the February update of Edge. So now the use of HTTPS for whitelist is mandatory and only the domains and remain on it. The big browser manufacturers are planning the end of the Flash era for the next year 2020.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.