Update: Effective March 12, 2013, Microsoft has completely reversed the behavior described in this article. The IE 10 Flash Compatibility View list is now a curated blacklist. Details in this post: Microsoft changes default Flash behavior in Windows 8 and RT
Adobe's Flash has taken its share of abuse over the past few years, both for its security risks and for its occasional impact on performance and battery life.
For the late Steve Jobs, Flash represented an opportunity to break with a very messy past, as he articulated in his infamous April 2010 post, Thoughts on Flash. That blunt message listed the six reasons why, in Jobs' words, "we do not allow Flash on iPhones, iPods and iPads."
Of course, Apple still allows the Flash plugin on its Macs running OS X, which means Apple customers get to choose between all or nothing when it comes to Flash support. The inability to play Flash content is one of the consistent complaints I still hear from iPad owners, nearly three years after the platform's release.
For Internet Explorer 10 on Windows 8 and Windows RT, Microsoft has tried to walk a delicate balancing act with Flash. The underlying theory is that Flash itself isn't evil. Instead, its bad reputation can be traced to the impact of poorly written Flash programs, which drain batteries and hog CPU resources, or malicious Flash content that exploits weaknesses in the Flash runtime to spread malware.
There are, in fact, many well-written Flash-based programs that behave like model citizens. So why should they be punished for the sins of a few bad actors?
That's the philosophy behind the Internet Explorer 10 Flash compatibility whitelist. Alas, it's not well documented, which is why I decided to write this post.
In Windows 8 and Windows RT, Internet Explorer 10 has the Flash plugin built-in. You can disable it, but you don't have to worry about keeping it up to date, because that task is handled through Windows update.
But your ability to run a Flash program in Windows 8 or RT is controlled to a large degree by Microsoft's Compatibility View List. Here's the rule:
- If you use the desktop version of Internet Explorer 10 in Windows 8, you can run all Flash content, without restriction.
- If you use the desktop version of IE 10 on Windows RT or the Metro version of IE 10 on either platform, Flash content runs only if the domain hosting that content is listed on Microsoft's Compatibility View list.
When I first began looking into this issue, I assumed (as many of my readers did) that this whitelist represented an exclusive club. That's not true. The most recent version of the CV list, retrieved on January 13, 2013, includes more than 4300 domains where you can view and interact with Flash content in the otherwise plugin-free IE versions.
And that list is growing steadily. More than 1000 domains have been added to the list in the past month, based on my inspections of its contents.
If you're curious about which sites are on the "approved for IE 10" Flash list, you can inspect it yourself.
To see the current Internet Explorer Compatibility View list installed on your PC, paste this URL into the Internet Explorer address bar in Windows 8 or Windows RT:
The current online version, which is downloaded automatically to Internet Explorer if you accept the default settings when you set up your user account, is available here:
A version number at the top of the XML file allows you to confirm whether your installed version is up to date.
The process for being added to the Compatibility View list is straightforward and is documented in this MSDN article. If you're a website developer and your site uses Flash, you have two choices:
- If you don't care whether your site runs in the Metro version of Internet Explorer or on Windows RT, you can add a tag that prompts visitors to open the site in the desktop version of IE 10.
- If you want your site to work throughout Windows 8 and Windows RT, you need to get it added to the CV list, after which it will always open with Flash Player enabled in both the desktop and Metro versions of IE 10.
The process of submitting a site for inclusion on the CV list is simple and is documented here. Before you do, you should test your site to ensure it won't stumble over any of the issues that so annoyed Steve Jobs. For example, you need to ensure that the content works as well with the onscreen keyboard and touch as it does with a physical keyboard and mouse. It should allow panning in all directions, pinch and zoom, and double-tap to zoom. Navigation should be smooth, and context menus should function properly. Video playback in full screen and snapped views should be smooth as well, with no artifacts when switching between views.
Submitting a site doesn't mean it will automatically be added to the list. Microsoft has to verify that the Flash content on the site works properly according to the guidelines it's laid out. When a site passes that test, it gets added to the CV list and automatically updated on IE 10. (I asked a friend who owns a Flash-based site to test the process. It took about two weeks from submission to addition to the list. She wasn't asked to make any changes.)
The documentation notes that web developers can test Flash content in Internet Explorer 10 by adding the following registry key:
where DebugDomain is a string value specifying the domain name as its data. (Just a domain name, not the address of a specific page.) Making that tweak allows you to test your site as if it had been added to the CV list.
That's good news for a developer, but what should you do an end user if you want your Surface RT to support Flash-based features on a site that isn't part of the official whitelist?
The best strategy is to contact the site owner and ask them to get their site on the IE 10 whitelist. Failing that, you could use the developer registry edit listed above to bypass the CV list for one and only one domain.
I'm aware of at least one third-party solution that works by tweaking the built-in CV list with your own additions. The trouble with that option is that it requires shutting down automatic updates to the CV list. And with Microsoft adding 30 domains per day to that list, on average, you're likely to miss out on a useful addition sooner rather than later,