info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Is there a way to detect the minimum version of flash required so we preemptively know when our flash content will blocked?
33 views
Skip to first unread message
Amal Hussein
Mar 29, 2017, 7:19:14 PM3/29/17
to
Context:
Since on FireFox we rely on the version flash installed on a users machine, there are cases when FF blocks flash content because the version does not meet the minimum version threshold.
We currently support FireFox versions v45+, and I currently do not see a way of being able to systematically detect if the flash version installed meets the minimum requirements or not.
Questions:
If I can detect the currently installed flash version via navigator.plugins, is there a way to dynamically interpret that the version is too low in for the current FireFox browser version?
If not, and we have to maintain some elaborate lookup table, matching browser versions to minimum supported flash versions, is the information of what the minimum versions are for FF, available anywhere in the community? If not, can that initiative be started here, since it would benefit from crowd sourcing?
Lastly, if we go the option of always requiring our users to be on one of the last 2 major version of flash (current 24, and 23), would that criteria be conservative enough?
Thanks so much,
Amal
Since on FireFox we rely on the version flash installed on a users machine, there are cases when FF blocks flash content because the version does not meet the minimum version threshold.
We currently support FireFox versions v45+, and I currently do not see a way of being able to systematically detect if the flash version installed meets the minimum requirements or not.
Questions:
If I can detect the currently installed flash version via navigator.plugins, is there a way to dynamically interpret that the version is too low in for the current FireFox browser version?
If not, and we have to maintain some elaborate lookup table, matching browser versions to minimum supported flash versions, is the information of what the minimum versions are for FF, available anywhere in the community? If not, can that initiative be started here, since it would benefit from crowd sourcing?
Lastly, if we go the option of always requiring our users to be on one of the last 2 major version of flash (current 24, and 23), would that criteria be conservative enough?
Thanks so much,
Amal
Chris Peterson
Mar 29, 2017, 10:52:56 PM3/29/17
to
On 3/29/2017 7:19 PM, Amal Hussein wrote:
> If I can detect the currently installed flash version via navigator.plugins, is there a way to dynamically interpret that the version is too low in for the current FireFox browser version?
Does a blocked version of Flash still show up in navigator.plugins?
> If I can detect the currently installed flash version via navigator.plugins, is there a way to dynamically interpret that the version is too low in for the current FireFox browser version?
> If not, and we have to maintain some elaborate lookup table, matching browser versions to minimum supported flash versions, is the information of what the minimum versions are for FF, available anywhere in the community? If not, can that initiative be started here, since it would benefit from crowd sourcing?
linked 1:1 with a Firefox version. (I don't know where the list of
blocked Flash versions are served from.)
Benjamin Smedberg
Apr 3, 2017, 2:31:29 PM4/3/17
to Amal Hussein, dev-tech...@lists.mozilla.org
On Wed, Mar 29, 2017 at 7:19 PM, Amal Hussein <ahus...@cainc.com> wrote:
>
>
> If I can detect the currently installed flash version via
> navigator.plugins, is there a way to dynamically interpret that the version
> is too low in for the current FireFox browser version?
>
> If not, and we have to maintain some elaborate lookup table, matching
> browser versions to minimum supported flash versions, is the information of
> what the minimum versions are for FF, available anywhere in the community?
> If not, can that initiative be started here, since it would benefit from
> crowd sourcing?
>
> Lastly, if we go the option of always requiring our users to be on one of
> the last 2 major version of flash (current 24, and 23), would that criteria
> be conservative enough?
>
Let me explain the Firefox behavior as a way of answering the questions.
>
>
> If I can detect the currently installed flash version via
> navigator.plugins, is there a way to dynamically interpret that the version
> is too low in for the current FireFox browser version?
>
> If not, and we have to maintain some elaborate lookup table, matching
> browser versions to minimum supported flash versions, is the information of
> what the minimum versions are for FF, available anywhere in the community?
> If not, can that initiative be started here, since it would benefit from
> crowd sourcing?
>
> Lastly, if we go the option of always requiring our users to be on one of
> the last 2 major version of flash (current 24, and 23), would that criteria
> be conservative enough?
>
Firefox asks the Mozilla blocklist servers frequently for a list of plugin
versions which are known to be vulnerable. This is not tied to the specific
Firefox version running.
When Firefox detects that the currently installed version of Flash is known
to be vulnerable, it stops activating that version by default. Instead, any
attempt to use Flash will show UI to the user which looks like this:
https://ichef.bbci.co.uk/news/660/cpsprodpb/1500A/production/_84262068_flash.jpg
Users then have the opportunity to update or to choose to activate Flash
anyway for that site.
Mozilla deploys Flash blocks on the following schedule:
- If there are known active Flash exploits in the wild, we deploy the
block immediately
- If a regularly scheduled Flash update (on patch Tuesday) fixes
security holes, we deploy the Flash blocklist update on the following
Monday. This gives most clients the ability to auto-update during the week.
So to get back to your particular questions:
It is not possible to detect whether Flash is considered out of date using
navigator.plugins
You can't build a lookup table of Flash versions and Firefox versions,
because that all happens via the dynamic blocklist.
It is not sufficient to require the latest two versions. Usually every
monthly update of Flash fixes security vulnerabilities, and so users need
to stay completely up to date.
Also be aware that starting later this year, Flash will be marked as
click-to-activate by default for all users. This doesn't show the red
button or no-enter sign, but it will look like this:
http://cdn.makeuseof.com/wp-content/uploads/2014/06/flash-video-disabled-firefox.png?187d39
So you should make sure that your website works properly when Flash is in
click-to-activate mode, both for current users who have insecure versions
and for future defaults. You can change that today in the Firefox addon
manager.
--BDS
0 new messages