Microsoft changes default Flash behavior in Windows 8 and RT

Microsoft changes default Flash behavior in Windows 8 and RT

Summary: In a surprise reversal, Microsoft has changed the default behavior of Flash content on websites viewed using Internet Explorer in Windows 8 or Windows RT. Previously, sites had to be on a whitelist before Flash would work. The new behavior effectively turns the Compatibility View list into an exclusive blacklist of badly behaved sites.


With Internet Explorer 10 on Windows 8 and Windows RT, Microsoft built Adobe's Flash Player directly into the browser. That's not a big deal. Its archrival Google has done the same with the Chrome browser.

But unlike Google, Microsoft made a controversial design decision in its implementation of the Flash Player plugin, restricting Flash content in the otherwise plugin-free Windows 8 version of IE 10. The original design allowed Flash content to run in the modern/Metro-style browser (and in the desktop browser as well on Windows RT) only if the domain was on Microsoft's Compatibility View List.

The implementation was so confusing that I wrote an explainer last year that went on to be one of my most popular posts of the year. (See "An inside look at Internet Explorer 10's mysterious Flash whitelist.")

Beginning tomorrow, that rule gets turned on its head. Under the new rules, any web site will be able to run Flash content in Internet Explorer 10 on both Windows 8 and Windows RT. The only exceptions will be those sites placed in a new section of the Compatibility View list that will effectively serve as an exclusive blacklist of websites behaving badly.

An update to a blandly titled article at the IE Developers Center, "Developer guidance for websites with content for Adobe Flash Player in Windows 8 (Internet Explorer)," makes the new policy formal. This note is dropped casually in the middle of the text:

Note When first released, Internet Explorer 10 used the CV List for Flash to identify sites that were allowed to run Flash content. As of March 2013, Internet Explorer 10 uses the CV List for Flash to block Flash content for specific websites. This behavior change requires Internet Explorer 10 to be fully patched with all available security updates.

And here's the new policy:

For Windows 8 running on a Windows PC, any site can play Flash content in Internet Explorer 10 for the desktop; however, sites that are on the Compatibility View (CV) list for Flash won't play Flash content within Internet Explorer 10 in new Windows UI. For Windows RT, sites that are on the CV list for Flash cannot play Flash content in either Internet Explorer for the desktop or Internet Explorer in the Windows UI.

Internet Explorer 10 uses the CV list to block specific sites from running the Flash Player functionality supported in Internet Explorer in the Windows UI. Microsoft manages and distributes the CV list and determines which sites go on the list. Decisions are based on security and reliability concerns.

A companion post on the IE blog specifies that the new policy, with its "curated Compatibility View list," takes effect tomorrow, March 12, 2013.

As we have seen through testing over the past several months, the vast majority of sites with Flash content are now compatible with the Windows experience for touch, performance, and battery life. With this update, the curated Compatibility View (CV) list blocks Flash content in the small number of sites that are still incompatible with the Windows experience for touch or that depend on other plug-ins.

We believe having more sites “just work” in IE10 improves the experience for consumers, businesses, and developers. As a practical matter, the primary device you walk around with should give you access to all the Web content on the sites you rely on. Otherwise, the device is just a companion to a PC. Because some popular Web sites require Adobe Flash and do not offer HTML5 alternatives, Adobe and Microsoft continue to work together closely to deliver a Flash Player optimized for the Windows experience.

Microsoft's official announcements say the change is based on an ecosystem that has gotten better at developing Flash content. But I suspect the real reason is more pragmatic. This behavior was confusing to users and frustrating to developers. For Windows RT in particular, it had a devastating effect on some sites, which simply wouldn't work, and the fact that you can't install an alternative browser on RT eliminates that workaround. And at this point in its life, the last thing Windows RT needs is another reason for potential buyers to reject it.

Usage of Flash in recent years has dropped, especially in the aftermath of Apple's decision to block the plugin completely on its popular portable devices. But many sites still require it, and in some trades, such as real estate, it's so widely used that it can't be ignored.  

The blacklist approach is easier to manage and less obvious (and frustrating) to IE users. Anyone want to take bets on which sites will be on the blacklist on Day 1? They're in for a bit of public shaming, and an appeal process that can mean weeks before their site is once again accessible in IE 10.

My first reaction to the news was a concern that this increases the likelihood of security flaws in Flash affecting IE users. The new policy attempts to address that issue by requiring that Internet Explorer be "fully patched" before any content will run. Presumably that requirement includes the Microsoft-distributed Flash Player plugin.

Topics: Browser, Security, Web development, Windows 8

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • So...

    Does this mean I can use flash on any site with an RT device, or no? I can hardly understand the language used.
  • Can users still manage their own whitelists for Flash content on web sites?

    Because zero-day exploits aren't exactly strangers to Internet Explorer and Flash Player.

    Ditto for system administrators in SMBs and enterprises.

    P.S. Previously (with Windows RT), users were able to manage their own whitelists with a very clunky, early 1990s-style, 3rd party tool.
    Rabid Howler Monkey
  • Microsoft changes default Flash behavior in Windows 8 and RT

    Might be a change for the better so that more people can access more legit websites.
  • Welcome move

    A black list is better than a white list because it will allow more genuine sites to work in IE metro. Also Adobe has done an excellent job to improve security in flash.
  • Will I still be able to completely disable Flash?

    I don't care which way MS does it, I just want to be ale to completely disable Flash simply to control data usage.

    If I want to wacth/hear someting I can decide if I am willing to spend the data.
    • I think you can

      I'm pretty sure you can disable flash completely in the settings. I can't check right now as I'm (frustratingly) on XP.
  • I wonder how this new MS Flash policy will impact battery charge duration

    When Mr. Bott mentions Apple's Flash usage ban on its mobile iOS devices, it should be recalled that the primary ban was on the mobile plugin version of Flash.

    Adobe and Microsoft agreed years later that this version of Flash never could achieve satisfactory quality and performance usage on mobile devices and that this was the primary reason Adobe cancelled this plugin version.

    However, now that Microsoft has allowed it's browser to utilize Adobe's full desktop Flash plugin, I wonder how this will effect the average battery charge duration for Microsoft Surface tablets?

    Perhaps the relatively small number of common internet web sites that still display Flash content might prove to be a mitigating factor regarding battery charge duration. In other words, this change in policy might prove to be more about politics than real world performance issues or customer satisfaction. Ed seems to allude to that interpretation when he opined that this policy change might have been based merely on a pragmatic marketing decision.
    • Here's my findings on Surface RT and BBC iPlayer

      I watch BBC Top Gear on their iPlayer on my Surface RT. The show is 60 mins, (more or less.)

      My fully charged RT drops from 100% to 80%. Normally I use about 10% per hour, so Flash video playback doubles the battery discharge rate.

  • Does it run Silverlight yet...

    or does some old Sinofsky stooge still need to be beaten to death?
    • Silverlight was basically deprecated

      Don't expect it to be ported to windows RT.
      • And then it was re-preciated

        Leaked roadmap apparently had Silverlight 6 in 2014.
        Michael Alan Goff
  • The initial decision was inexplicable...

    ... so this is just a return to sanity. Anybody have the foggiest idea why MS made that decision in the first place?
    • Because ...

      ... Flash was one of the biggest sources of crashes, performance issues, security guns, etc. Microsoft licensed the Flash source code and has worked with Adobe for over a year to harden, secure and improve the perf and power efficiency on Windows (esp. Windows RT).

      Now that they've tested the product's real world use for some time, it is clear they're happy enough with Flash's perf, security, etc. and can relax the restrictions on its use.
  • I recommend a return to MDDOS 2.0

    I recommend a return to MDDOS 2.0

    That is how we eliminate all of these issues.

    I also recommend horses as they do not require batteries or gasoline.

    Microsoft is having a hard time deciding how to be Microsoft. I prefer the old and more difficult Microsoft; “If it breaks Windows then block it!”. The users will adapt.

    We need an OS that does not require the user to be technically savvy about firewalls, anti-virus and malware. Microsoft has made some attempts to do this by incorporating Flash into IE10 and by providing a method for automatically blocking bad content.

    In a corporate network Admins would prefer the white list approach as witnessed by the "Trusted Sites" zone. This along with proper IE settings in GP will make safety almost absolute.

    Home users need Microsoft to take over this protective role or, perhaps, allow a third party to provide this service. This would be mechanism similar to parental controls although we would call this "dumb adult controls".
    • There's a great, big, beautiful tomorrow...

      Yep. Changes to MS operating systems represent progress as every last one of them is an improvement over what came before. Anyone who thinks otherwise is anti-progress.
      John L. Ries
    • Does anyone actually use IE anymore?

      All this fooling around has been handled pretty well in more advanced and security conscious browsers. NoScript, Adblock and Flashblock address all the flash issues that people are concerned about.
    • Yeah, let's let the OS control our use....

      A cloudy day can break Windows (get it?). Rather than going one way or the other, why not give users a choice as to use a the blacklist approach, whitelist approach or use a safer browser to start with?
  • Who cares?

    Nobody uses this garbage anyway because people have moved on
    • Moved on? Onto what? iPads?

      Most (majority) people rely on their desktops/laptops for internet media.

      Contrary to what Steve Jobs said, Flash isn't dead, and it doesn't seem like it will any time soon.

      Many websites still rely on Flash, despite HTML5's apparent advantages.

      I think it's time for you to get off the internet, it's quite obvious that nobody wants you here.
      • Don't be such a facist. Who appointed you moderator?

        From shellcodes_coder's point of view, people have moved on. Past flash, past IE, whatever. It's his opinion, who the f are you to tell him that nobody wants him here?