An inside look at Internet Explorer 10's mysterious Flash whitelist

An inside look at Internet Explorer 10's mysterious Flash whitelist

Summary: Update: Effective March 12, 2013, Microsoft has reversed the behavior described in this article. In Windows 8 and especially on Windows RT, your ability to run Flash programs hosted on the web depends on whether a site is included on Microsoft's Compatibility View list. This post describes the original rules, which are no longer in effect.


Update: Effective March 12, 2013, Microsoft has completely reversed the behavior described in this article. The IE 10 Flash Compatibility View list is now a curated blacklist. Details in this post: Microsoft changes default Flash behavior in Windows 8 and RT

Adobe's Flash has taken its share of abuse over the past few years, both for its security risks and for its occasional impact on performance and battery life.

For the late Steve Jobs, Flash represented an opportunity to break with a very messy past, as he articulated in his infamous April 2010 post, Thoughts on Flash. That blunt message listed the six reasons why, in Jobs' words, "we do not allow Flash on iPhones, iPods and iPads."

Of course, Apple still allows the Flash plugin on its Macs running OS X, which means Apple customers get to choose between all or nothing when it comes to Flash support. The inability to play Flash content is one of the consistent complaints I still hear from iPad owners, nearly three years after the platform's release.

For Internet Explorer 10 on Windows 8 and Windows RT, Microsoft has tried to walk a delicate balancing act with Flash. The underlying theory is that Flash itself isn't evil. Instead, its bad reputation can be traced to the impact of poorly written Flash programs, which drain batteries and hog CPU resources, or malicious Flash content that exploits weaknesses in the Flash runtime to spread malware.

There are, in fact, many well-written Flash-based programs that behave like model citizens. So why should they be punished for the sins of a few bad actors?


That's the philosophy behind the Internet Explorer 10 Flash compatibility whitelist. Alas, it's not well documented, which is why I decided to write this post.

In Windows 8 and Windows RT, Internet Explorer 10 has the Flash plugin built-in. You can disable it, but you don't have to worry about keeping it up to date, because that task is handled through Windows update.

But your ability to run a Flash program in Windows 8 or RT is controlled to a large degree by Microsoft's Compatibility View List. Here's the rule:

  • If you use the desktop version of Internet Explorer 10 in Windows 8, you can run all Flash content, without restriction.
  • If you use the desktop version of IE 10 on Windows RT or the Metro version of IE 10 on either platform, Flash content runs only if the domain hosting that content is listed on Microsoft's Compatibility View list.

When I first began looking into this issue, I assumed (as many of my readers did) that this whitelist represented an exclusive club. That's not true. The most recent version of the CV list, retrieved on January 13, 2013, includes more than 4300 domains where you can view and interact with Flash content in the otherwise plugin-free IE versions.

And that list is growing steadily. More than 1000 domains have been added to the list in the past month, based on my inspections of its contents.

If you're curious about which sites are on the "approved for IE 10" Flash list, you can inspect it yourself.

To see the  current Internet Explorer Compatibility View list installed on your PC, paste this URL into the Internet Explorer address bar in Windows 8 or Windows RT:

File:\\%LOCALAPPDATA%\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml

The current online version, which is downloaded automatically to Internet Explorer if you accept the default settings when you set up your user account, is available here:

A version number at the top of the XML file allows you to confirm whether your installed version is up to date.

The process for being added to the Compatibility View list is straightforward and is documented in this MSDN article. If you're a website developer and your site uses Flash, you have two choices:

  • If you don't care whether your site runs in the Metro version of Internet Explorer or on Windows RT, you can add a tag that prompts visitors to open the site in the desktop version of IE 10.
  • If you want your site to work throughout Windows 8 and Windows RT, you need to get it added to the CV list, after which it will always open with Flash Player enabled in both the desktop and Metro versions of IE 10.

The process of submitting a site for inclusion on the CV list is simple and is documented here. Before you do, you should test your site to ensure it won't stumble over any of the issues that so annoyed Steve Jobs. For example, you need to ensure that the content works as well with the onscreen keyboard and touch as it does with a physical keyboard and mouse. It should allow panning in all directions, pinch and zoom, and double-tap to zoom. Navigation should be smooth, and context menus should function properly. Video playback in full screen and snapped views should be smooth as well, with no artifacts when switching between views.

Submitting a site doesn't mean it will automatically be added to the list. Microsoft has to verify that the Flash content on the site works properly according to the guidelines it's laid out. When a site passes that test, it gets added to the CV list and automatically updated on IE 10. (I asked a friend who owns a Flash-based site to test the process. It took about two weeks from submission to addition to the list. She wasn't asked to make any changes.) 

The documentation notes that web developers can test Flash content in Internet Explorer 10 by adding the following registry key:

HKLM\Software\Microsoft\Internet Explorer\Flash\DebugDomain

where DebugDomain is a string value specifying the domain name as its data. (Just a domain name, not the address of a specific page.) Making that tweak allows you to test your site as if it had been added to the CV list.

That's good news for a developer, but what should you do an end user if you want your Surface RT to support Flash-based features on a site that isn't part of the official whitelist?

The best strategy is to contact the site owner and ask them to get their site on the IE 10 whitelist. Failing that, you could use the developer registry edit listed above to bypass the CV list for one and only one domain.

I'm aware of at least one third-party solution that works by tweaking the built-in CV list with your own additions. The trouble with that option is that it requires shutting down automatic updates to the CV list. And with Microsoft adding 30 domains per day to that list, on average, you're likely to miss out on a useful addition sooner rather than later,

Topics: Browser, Microsoft, Microsoft Surface, Windows 8

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • a lot more than "occasional"

    "and for its occasional impact on performance and battery life."

    It was a lot more than occasional X(.

    It was (and still is) pretty much every page with an ad on it.
    • That may be true...

      But I've never had any problems with the flash sites that I use. Instead of completely blocking flash, wouldn't it be a much friendlier idea to block it by default but provide options for advanced users to turn it on if they so choose? That way the ones who don't know any better are safe and the ones who do can make their own choices?

      I've used flash on most of my Android devices without any negative impact at all since it became available and even after the latest versions removed it. The same is true on my Surface RT.

      Any time you block potentially useful tools in the name of security/performance without providing a way to override by choice, you cause problems for many people. It's the same mentality that you see in many organizations that choose to punish everyone for the sins of the few.
  • my niece got a surface rt for christmas

    and none of her favorite websites worked on it. But I it doesn't really matter how easy it is to get onto the white list. This for now not many websites will bother simply because either they're totally unaware of the issue or because even if they are aware, so few people would be affected at this point that they still won't bother.
    • 1000 websites added in one month

      Give it a year and I'll bet a lot of those sites will be on the list.
      Ed Bott
      • Several Billion To Go

        This is a wrong approach and MS leave themselves in the potential position of censor here and leaving a lot of people disappointed who were thinking that WinRT flash is is same as Win 8 flash. They should give the user the option to disable the whitelist with warning.
        Alan Smithie
      • All but one or two of my sites...

        I really only had one that I was very interested in getting added to the list and another that would be nice. I used the registry hack above to get the more important one to work and it now works great!
      • That's not a great answer

        "Daddy, I can't watch the pretty kitty video!"

        "Princess, just keep checking back every week for about a year, and maybe eventually you'll be able to."

        Flash will *eventually* go away, but the current evidence of that is not a decline in the number of sites using it, but rather that the rate of increase in the number of sites using it is starting to decline.

        No user cares about how many thousands of sites the Surface will work on - a user cares about the site she wants to see NOW, and "check back next year!" doesn't help that much.

        It's a baffling implementation by MS, but at least most users won't be baffled by it - they'll try a site, see an error about Flash, and figure that the Surface doesn't support it, just like the iPad. (Because when Flash works, there's no indication that it's Flash - there's just a video playing on my screen.)

        Only the savviest customers will be confused, which is a neat turnabout.
  • Great article

    Thanks for this, Ed. I've found the whitelist largely unobtrusive but there has been the odd website that I've missed. I'm going to send out some emails to them now ;)
  • There's one thing they forgot

    The thing they forgot about, was commercial applications that use flash.
    For instance, I have purchased a commercial product that uses a flash interface, and host it. I have customers that use this interface to manage products they purchase off me.
    Now, none of them can use IE to access the site.
    This one product probably has 10,000 customers using it similarly to me - so does that mean that MS will add all 10,000 domains of the end users into its whitelist? I'm not holding my breath.
    • Yes, they can

      They can use desktop IE on Windows 8. No restrictions. Or you can add the domain to the registry for them as I document here. If it's a line-of-business app, then no big deal.
      Ed Bott
    • What was their response?

      I'm assuming you've followed the steps in the article to apply to be added to the whitelist? What was Microsoft's response to your request?
    • Firefox or Chrome

      It looks like you would have an easier time running a different brouser. I wouldn't go out of my way to use IE in the 1st place, I find in very unsecure.
  • 1990 is calling and it wants you back

    From the article:
    "I'm aware of at least one third-party solution that works by tweaking the built-in CV list with your own additions.

    Here is 'a' tool, but I'm not sure it's 'the' tool to which you refer:

    It's an interactive BAT file program. And it supposedly takes about 2 minutes to add a single site to the whitelist (according to the article).

    Microsoft should follow Comodo's lead and create an alternate web browser for Windows RT using Google's open-source Chromium browser. The license is permissive, which means that Microsoft doesn't have to release the code that they add to the software. The Chromium browser allows one to easily, and quickly, white list sites for plug-ins like Flash Player. One can either view the site for a single visit or permanently view the site by adding it to a user-managed whitelist.

    As an added benefit, web sites that don't work well with IE 10 (whether the fault of the web site or IE 10), might work just fine with a WebKit/Chromium-based browser.

    Can Steve Ballmer pretend that he's Larry Ellison?
    Rabid Howler Monkey
    • That program

      Did you miss the part where it turns off automatic updates to the CV list? That auto-update would overwrite your customized list. So in order for that 2-second fix to work, it has to stop future updates. Not a good solution.
      Ed Bott
      • No, I didn't miss the part about automatic updates.

        The tool is clunky anyway.

        Microsoft needs an alternate browser for Windows RT. If they won't open the Windows RT desktop to 3rd party browsers, then Microsoft needs to do it themselves. If Oracle can use Red Hat's Enterprise Linux source code to create Oracle Enterprise Linux which they then use to compete with Red Hat, Microsoft can do the same with Google's Chromium browser source code to create an alternate browser for Windows RT and compete with Android.

        P.S. Wrt Comodo, I refer to their using the Chromium browser source code to create their Dragon browser for Windows (not RT).
        Rabid Howler Monkey
      • Continuing in the “not a good solution” vein...

        I'm not sure why Microsoft wants to brand its browser as “More capable, as long as you are willing to occasionally diddle your registry because a favorite site hasn't bothered/managed to certify that its app is WinRT friendly.”

        Well and good to have experts like the redoubtable Mr. Bott — as long as (a) you can find his post on each and every one of the Microsoft quirks, and (b) you have plenty of time and energy to chase down hardware-specific docs, understand gotchas about running specialized side apps (free or otherwise), and are competent to perform the rituals.

        Astonishing that Microsoft didn't use some of its engineering talent to flag sites that aren't touch- or battery-friendly (but otherwise usable!), or some of its marketplace muscle to get Adobe to take care of the branding for them, in a way that would've shown Jobs's concerns to have been dealt with at the source.

        This is, after all, why non-power-users are buying approximately as many iOS devices as all Windows devices combined. They don't have to screw around with bandaids and kluges. They may miss some actually fine Flash, but they don't have to be low-paid janitors to their machines.
        • This is about third-party software

          Let's be clear: The world is moving to one where browser plugins and other unmanaged apps won't exist. iPad is already there, for better or worse.

          And you don't think that Microsoft is not actively working with website developers and with Adobe to get them to improve sites that are problematic? Seriously, Walt? That's been a major thrust of Microsoft's web dev efforts since the announcement of IE9. Lot of progress since then, a lot more room to go.
          Ed Bott
        • What an odd position to take

          "They don't have to screw around with bandaids and kluges. They may miss some actually fine Flash"

          So Microsoft is bad because it curates the list of good Flash sites, allowing users to access those sites without screwing around with bandaids and kludges. apple is good because no matter what you do, you have absolutely no ability to view good Flash sites.

          If you never once told a Windows user that they technically could alter the whitelist if they wanted to, they wouldn't even know that kludges and bandaids existed and would never say "Windows sucks because I have to screw around with bandaids and kludges". What they WOULD know is that apple products NEVER work with Flash while Microsoft products do. No kludges or bandaids required.

          I hear your argument all the time BTW so you aren't alone with your flawed logic. I have never, even once, messed around with the engine in my car. I haven't changed the oil myself, I don't top up my fluids myself, I do 0 bandaids and kludges on my car. I take it to the shop. They do it all for me. Amazing how I can choose to do that even though the hood isn't locked. Amazing how I'm able to resist the temptation of doing all this myself even though I'm technically able to.

          Providing users with the option of bandaids and kludges doesn't mean those users have to use them. It CERTAINLY doesn't mean that alternatives where you have fewer capabilities out of the box are better. Windows RT works with many great Flash sites, no bandaids or kludges required. ios works with none of the Flash sites. That isn't better. That's worse.
          • Who included apple in that thread.

            Do you have to compare apple to ever thread..
            You dislike apple, we get it.. You don't have to include them everytime.
            Anthony E
          • The poster I was responding to included apple

            "This is, after all, why non-power-users are buying approximately as many iOS devices as all Windows devices combined. They don't have to screw around with bandaids and kluges. They may miss some actually fine Flash, but they don't have to be low-paid janitors to their machines."

            His entire last paragraph, the paragraph I was responding to, the paragraph I took my quote from, was about apple. The "they" in the quote I included, was referring to apple users.

            But I want to thank you for admitting I am right. After all, if you'd had a better counter point, you would have used it.