Mozilla plans to implement a change in Firefox 55 that restricts plugins — read Adobe Flash — to run on HTTP pr HTTPS only.
Adobe Flash is the only NPAPI plugin that is still supported by release versions of the Firefox web browser. Previously supported plugins such as Silverlight or Java are no longer supported, and won’t be picked up by the web browser anymore.
Flash is the only plugin left standing in Firefox. It is also still available for Google Chrome, Chromium-based browsers, and Microsoft Edge, but the technology used to implement Flash is different in those web browsers.
Adobe Flash causes stability and security issues regularly in browsers that support it. If you check the latest Firefox crash reports for instance, you will notice that many top crashes are plugin-related.
Security is another hot topic, as Flash is targeted quite often thanks to new security issues coming to light on a regular basis.
Mozilla’s plan to run Flash only on HTTP or HTTPS sites blocks execution of Flash on any non-HTTP non-HTTPS protocol. This includes among others FTP and FILE. Flash content will be blocked completely in these instances. This means that users won’t get a “click to play” option or something similar, but just resources blocked from being loaded and executed by the Firefox web browser.Mozilla provides an explanation for the decision on the Firefox Site Compatibility website:
Firefox 55 and later will prevent Flash content from being loaded from file, ftp or any other URL schemes except http and https. This change aims to improve security, because a different same-origin policy is applied to the file protocol, and loading Flash content from other minor protocols is usually not well-tested.
Mozilla is also looking into extending the block to data: URIs.
The change should not affect too many Firefox users and developers, but it will surely impact some. Mozilla implemented a new preference in Firefox that allows users to bypass the new restriction:
- Type about:config in the browser’s address bar and hit the Enter-key.
- Confirm that you will be careful if the warning prompt appears.
- Search for the preference plugins.http_https_only.
- Double-click on it.
A value of True enables the blocking of Flash content on non-HTTP/HTTPS pages, while a value of False restores the previous handling of Flash so that it runs on any protocol. Mozilla suggests however that developers set up a local web server instead for Flash testing if that is the main use case.