Microsoft changes default Flash behavior in Windows 8 and RT

In a surprise reversal, Microsoft has changed the default behavior of Flash content on websites viewed using Internet Explorer in Windows 8 or Windows RT. Previously, sites had to be on a whitelist before Flash would work. The new behavior effectively turns the Compatibility View list into an exclusive blacklist of badly behaved sites.
Written by Ed Bott, Senior Contributing Editor

With Internet Explorer 10 on Windows 8 and Windows RT, Microsoft built Adobe's Flash Player directly into the browser. That's not a big deal. Its archrival Google has done the same with the Chrome browser.

But unlike Google, Microsoft made a controversial design decision in its implementation of the Flash Player plugin, restricting Flash content in the otherwise plugin-free Windows 8 version of IE 10. The original design allowed Flash content to run in the modern/Metro-style browser (and in the desktop browser as well on Windows RT) only if the domain was on Microsoft's Compatibility View List.

The implementation was so confusing that I wrote an explainer last year that went on to be one of my most popular posts of the year. (See "An inside look at Internet Explorer 10's mysterious Flash whitelist.")

Beginning tomorrow, that rule gets turned on its head. Under the new rules, any web site will be able to run Flash content in Internet Explorer 10 on both Windows 8 and Windows RT. The only exceptions will be those sites placed in a new section of the Compatibility View list that will effectively serve as an exclusive blacklist of websites behaving badly.

An update to a blandly titled article at the IE Developers Center, "Developer guidance for websites with content for Adobe Flash Player in Windows 8 (Internet Explorer)," makes the new policy formal. This note is dropped casually in the middle of the text:

Note When first released, Internet Explorer 10 used the CV List for Flash to identify sites that were allowed to run Flash content. As of March 2013, Internet Explorer 10 uses the CV List for Flash to block Flash content for specific websites. This behavior change requires Internet Explorer 10 to be fully patched with all available security updates.

And here's the new policy:

For Windows 8 running on a Windows PC, any site can play Flash content in Internet Explorer 10 for the desktop; however, sites that are on the Compatibility View (CV) list for Flash won't play Flash content within Internet Explorer 10 in new Windows UI. For Windows RT, sites that are on the CV list for Flash cannot play Flash content in either Internet Explorer for the desktop or Internet Explorer in the Windows UI.

Internet Explorer 10 uses the CV list to block specific sites from running the Flash Player functionality supported in Internet Explorer in the Windows UI. Microsoft manages and distributes the CV list and determines which sites go on the list. Decisions are based on security and reliability concerns.

A companion post on the IE blog specifies that the new policy, with its "curated Compatibility View list," takes effect tomorrow, March 12, 2013.

As we have seen through testing over the past several months, the vast majority of sites with Flash content are now compatible with the Windows experience for touch, performance, and battery life. With this update, the curated Compatibility View (CV) list blocks Flash content in the small number of sites that are still incompatible with the Windows experience for touch or that depend on other plug-ins.

We believe having more sites “just work” in IE10 improves the experience for consumers, businesses, and developers. As a practical matter, the primary device you walk around with should give you access to all the Web content on the sites you rely on. Otherwise, the device is just a companion to a PC. Because some popular Web sites require Adobe Flash and do not offer HTML5 alternatives, Adobe and Microsoft continue to work together closely to deliver a Flash Player optimized for the Windows experience.

Microsoft's official announcements say the change is based on an ecosystem that has gotten better at developing Flash content. But I suspect the real reason is more pragmatic. This behavior was confusing to users and frustrating to developers. For Windows RT in particular, it had a devastating effect on some sites, which simply wouldn't work, and the fact that you can't install an alternative browser on RT eliminates that workaround. And at this point in its life, the last thing Windows RT needs is another reason for potential buyers to reject it.

Usage of Flash in recent years has dropped, especially in the aftermath of Apple's decision to block the plugin completely on its popular portable devices. But many sites still require it, and in some trades, such as real estate, it's so widely used that it can't be ignored.  

The blacklist approach is easier to manage and less obvious (and frustrating) to IE users. Anyone want to take bets on which sites will be on the blacklist on Day 1? They're in for a bit of public shaming, and an appeal process that can mean weeks before their site is once again accessible in IE 10.

My first reaction to the news was a concern that this increases the likelihood of security flaws in Flash affecting IE users. The new policy attempts to address that issue by requiring that Internet Explorer be "fully patched" before any content will run. Presumably that requirement includes the Microsoft-distributed Flash Player plugin.

Editorial standards