Another nail in Flash’s coffin. Google Chrome to block Flash by default on most websites

Google Chrome, the world’s most popular web browser, is banging another nail into Adobe Flash’s coffin.

This week we’ve learnt that by the end of the year Chrome will be defaulting to using HTML5 rather than Adobe Flash on nearly all websites.

Google’s Anthony LaForge outlined the company’s plan to prevent Flash from automatically running on websites:

“While Flash historically has been critical for rich media on the web, today in many cases HTML5 provides a more integrated media experience with faster load times and lower power consumption. This change reflects the maturity of HTML5 and its ability to deliver an excellent user experience. We will continue to work closely with Adobe and other browser vendors to keep moving the web platform forward, in particular paying close attention to web gaming.”

In a nutshell, this what Google is proposing:

  • Flash Player will come bundled with Chrome, however its presence will not be advertised by default.
  • If a site offers an HTML5 experience, it will be used as the default experience.
  • When a user encounters a site that needs Flash Player, a prompt will appear at the top of the page, giving the user the option of allowing it for a site.
  • If the user accepts, Chrome will advertise the presence of Flash Player, and refresh the page.

LaForge doesn’t mention it, but the reason why so many people are excited by the news of Flash’s step closer to extinction is because the technology has been blighted by innumerable security holes in recent years, and is regularly exploited by online criminals.

Specifically, Google wants to reduce malicious attacks such as malvertising – the rogue web adverts that can infect your computer with malware as you browse a legitimate website.

As we have previously reported, Adobe Flash is the technology most targeted by malicious exploit kits, and the number of discovered vulnerabilities has increased dramatically.

In short, a Flash-free web is a safer web.

Sign up to our free newsletter.
Security news, advice, and tips.

As Google explains, to avoid too much disruption, the top ten websites using Flash will be added to an allow-list – allowing Flash to continue operating for a while:


However, most of the time Chrome’s Flash Player will be hidden away.

In a slide deck describing the proposal, Google offers a sneak peak of what Chrome users may be seeing in their browser later this year.

One part of the report describes how on sites that need Flash Player, a prompt will appear at the top of the page, giving the user the option of granting permission for the controversial technology to run.

If you allow Flash Player, then preferences will be stored, and the webpage refreshed with Adobe Flash Player enabled.

The proposal suggests that enterprises will be able to set a policy of always running Flash content (I hope you’re feeling bold), and users will be able to manage their preferences for individual sites.

I don’t think anyone is going to be too surprised to see Google further distancing itself from the troubled Adobe Flash. It has already announced it will drop support for the Flash-based online ads that some advertisers like to upload to Google’s Adwords and DoubleClick services, and blocked Flash ads by default.

Adobe Flash isn’t quite dead yet, but we’re one step closer to its burial.

Personally I don’t think it could come quickly enough.

This article first appeared on the HEAT Security blog.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.