In fact, users of the Microsoft Edge browser must explicitly allow the reproduction of Flash content on Web pages, an operation that occurs through the so-called click-to-play. However, for selected pages, Edge used a white list that automatically allows Flash content. This will continue to be Facebook domains.
This stems from a bug report from Google's Project Zero security researchers. As a result, the researcher Ivan Fratric first examined the binary form of the whitelist and transferred it to a textual representation. Sometimes publicly available domains are sometimes very surprising and strange domains.
Fratric writes on Twitter: "So many pages that are completely taken aback because they are on it Like a hairdressing site in Spain (http://www.dgestilistas.es) ?! I wonder how the list was put together."In addition to the questionable content of the list, Frantic also indicates possible uncertainties arising from its use.
Attachable white list
An XSS vulnerability on one of the domains allows you to completely ignore click-to-play rules. In addition, Fratric found known XSS vulnerabilities on some whitelist domains. In addition, the whitelist does not impose the use of HTTPS, which could allow man-in-the-middle (MITM) attacks to bypass click-to-play rules.
According to Bugreport, Microsoft corrected the behavior of Fratric in the whitelist in the February update of Edge. So now the use of HTTPS for whitelist is mandatory and only the domains www.facebook.com and apps.facebook.com remain on it. The big browser manufacturers are planning the end of the Flash era for the next year 2020.