What's the long term plan with Click-to-play and Flash?

Post by g***@gmail.com
a. Advertisers are the biggest current reason for more than 1 flash plugin on a page.

Note that Adobe's installation test page for Flash at
<http://www.adobe.com/software/flash/about/> uses Flash three times.

Also, eight Web developers currently listed on my
<http://www.rossde.com/internet/Webdevelopers.shtml> each use Flash more
than once on the same page of their own Web sites. However, all eight
of them also have pages with HTML and CSS errors.

--
David E. Ross
<http://www.rossde.com/>

On occasion, I filter and ignore all newsgroup messages
posted through GoogleGroups via Google's G2/1.0 user agent
because of spam, flames, and trolling from that source.

g***@gmail.com

2014-06-02 15:36:03 UTC

Post by David E. Ross

Post by g***@gmail.com
c. There are very few websites that currently depend on showing 6 flash instances at once that are not ads.

Also, eight Web developers currently listed on my
<http://www.rossde.com/internet/Webdevelopers.shtml> each use Flash more
than once on the same page of their own Web sites.

An interesting data set to start with!
Only 1 of those that used more than 1 flash instance is still doing so. And of the ones to use Flash, only one has moved from 1 to 2. (I didn't test the complete list of other sites, but out of 20 opened quickly came up with 2 that used Flash, one that had two instances due to 2 youtube videos.)

Post by David E. Ross
This sounds like a reasonable guess, but we definitely need to collect

some data.

Would top 1000 sites be a good sample? I'm not sure how to best confirm this assumption.

[Full test] https://pastebin.mozilla.org/5321985

Benjamin Smedberg

2014-06-02 16:04:45 UTC

Post by Benjamin Smedberg
This sounds like a reasonable guess, but we definitely need to collect

some data.
Would top 1000 sites be a good sample? I'm not sure how to best confirm this assumption.

I don't think that we can make decisions based only on the most popular
sites, no. I expect that if we really wanted to prove this, we'd want to
measuring using Firefox telemetry and then perhaps run an experiment:

* start by adding a telemetry probe for the max number of plugin
instances per-page
* run an experiment: when Firefox encounters a page with more than 3
instances, prompt the user to tell us the domain name.
* Run an experiment: try cutting off Flash after 3 instances, and ask
people in that situation if their website is "broken".

But as I said, I really don't think the costs are going to be worth it
anyway, and we should focus on replacing Flash advertising with Shumway
rather than making it click-to-play.

--BDS

Benjamin Smedberg

2014-06-02 14:30:45 UTC

What is the problem you are trying to solve, and why do you think this
proposal will solve it? It seems that your proximate goal is to get
advertisers off of Flash, and that you ultimately want to do this to
improve user privacy by disallow Flash cookies.

From user research, we know that some users expect advertisements in
the page, and when we tried blocking Flash, these users were confused
about why the page didn't look right and were unhappy that we broke the web.

Post by g***@gmail.com
a. Advertisers are the biggest current reason for more than 1 flash plugin on a page.

This is undoubtedly true.

Post by g***@gmail.com
b. Attack sites are the other big reason to have many plugins per page.

I very much doubt this. We do know that one of the leading vectors for
non-targeted malware attacks is plugins on advertising networks. I doubt
that there will be a high plugin *count* in those attack scenarios, though.

Post by g***@gmail.com
c. There are very few websites that currently depend on showing 6 flash instances at once that are not ads.

This sounds like a reasonable guess, but we definitely need to collect
some data.

I sympathize with the desire to get advertisers off of Flash, but I
don't think that this plan strikes the right balance. Because developers
often don't control whether advertisers use Flash, any problems this
causes will be inherently intermittent and confusing for both developers
and users.

Our current strategy is to continue development of Shumway to the point
where it displays most web content reliably and performs acceptably, and
then try to switch users to Shumway with a fallback to "real" Flash if
we detect incompatible content. I believe that will be the best way to
solve the privacy issues with Flash without causing pain to our users.

--BDS

g***@gmail.com

2014-06-02 17:12:08 UTC

Post by Benjamin Smedberg
What is the problem you are trying to solve, and why do you think this
proposal will solve it?

1. Make it crystal clear that Mozilla wants Flash to go away and that developers should stop making new things in it. And that Flash will eventually be treated just like every other plugin.
2. Get the web more in shape for the fact that Firefox on Linux will lose Adobe's Flash in 3 years. (I'm a Linux user so it's personal :P )
3. I want to eventually see a web without *any* plugins.

Post by Benjamin Smedberg
From user research, we know that some users expect advertisements in
the page, and when we tried blocking Flash, these users were confused
about why the page didn't look right and were unhappy that we broke the web.

They were confused by the Click-to-play part? When was this test?

Most sites that I view nowadays look totally fine if Flash are blocked.
I remember when formatting would get messed up blocking Flash but that hasn't happened in a while (IME).

I do agree that right now, advertisers are the biggest item keeping Flash not click-to-play though. Hence, why I try to address them first in my plan.

Post by g***@gmail.com
b. Attack sites are the other big reason to have many plugins per page.

True. Could be some crossover, but it would likely be accidental.

Post by Benjamin Smedberg
Our current strategy is to continue development of Shumway to the point
where it displays most web content reliably and performs acceptably, and
then try to switch users to Shumway with a fallback to "real" Flash if
we detect incompatible content. I believe that will be the best way to
solve the privacy issues with Flash without causing pain to our users.

That does help solve the privacy issues with Flash, but does nothing to make developers stop using Flash.

I also don't think Shumway can ever fully implement Flash (think DRM bits), so this has a long term plan that still includes Adobe Flash. If the advertisers have a choice that they can ask for the unimplementable bits of Flash to get the plugin (and therefore mitigate any privacy protections) they would totally do that.

Some advertisers already fall back to non-flash ads (check out the ads on www.phoronix.com) if they don't detect Flash. My plan can help push them to make that the default.

Thanks,
Bryan

Benjamin Smedberg

2014-06-02 19:55:32 UTC

Post by Benjamin Smedberg
What is the problem you are trying to solve, and why do you think this
proposal will solve it?

1. Make it crystal clear that Mozilla wants Flash to go away and that developers should stop making new things in it. And that Flash will eventually be treated just like every other plugin.

We definitely want Flash to go away. But it isn't like every other
plugin, and we need to be realistic about that. It's penetration into
all parts of the web, advertising and no, is far greater than other
plugins. And especially it's still common to use "hidden" Flash
instances to do web enhancements in ways that make click-to-activate UI
tricky for many users.

Post by g***@gmail.com
2. Get the web more in shape for the fact that Firefox on Linux will lose Adobe's Flash in 3 years. (I'm a Linux user so it's personal :P )

A lot of the web will end up like that pretty soon regardless, with the
major mobile OSes not having Flash support. There's a lot more leverage
there than there is on our desktop Flash policies.

Post by g***@gmail.com
From user research, we know that some users expect advertisements in
the page, and when we tried blocking Flash, these users were confused
about why the page didn't look right and were unhappy that we broke the web.
They were confused by the Click-to-play part? When was this test?

January 2013.

Post by g***@gmail.com
Most sites that I view nowadays look totally fine if Flash are blocked.

You and I probably have a different perspective on this than most
people. That's why we do user research in the first place. Since many
people don't even understand that Flash is a plugin separate from the
browser, they had serious trouble understanding why we were asking them
to click just to play the videos and see the ads.

That does help solve the privacy issues with Flash, but does nothing to make developers stop using Flash.

That's true, but does it matter? You can view the content correctly
without a binary plugin.

Post by g***@gmail.com
I also don't think Shumway can ever fully implement Flash (think DRM bits), so this has a long term plan that still includes Adobe Flash. If the advertisers have a choice that they can ask for the unimplementable bits of Flash to get the plugin (and therefore mitigate any privacy protections) they would totally do that.

It is true that there are some specific Flash APIs that we cannot
implement. These include some codecs (VP6, Sorenson) and the DRM bits of
Flash. These are not used by advertising sites much, and so we have a
good migration path for most content.

As for the question of whether and how we'd do fallback, we don't know
yet. We might not decide to do automatic fallback but require a click to
activate in those cases: that should fix the drive-by case and fix the
advertising landscape without unduly affecting other content. We still
need to experiment with that once Shumway performance and compatibility
is farther along.

--BDS

g***@gmail.com

2014-06-03 14:28:19 UTC

Post by Benjamin Smedberg
We definitely want Flash to go away. But it isn't like every other
plugin, and we need to be realistic about that. It's penetration into
all parts of the web, advertising and no, is far greater than other
plugins. And especially it's still common to use "hidden" Flash
instances to do web enhancements in ways that make click-to-activate UI
tricky for many users.

I agree that we can't treat it like any other plugin right now, but that should be our goal to get to that point?

Post by Benjamin Smedberg
A lot of the web will end up like that pretty soon regardless, with the
major mobile OSes not having Flash support. There's a lot more leverage
there than there is on our desktop Flash policies.

I agree, in fact I'm not sure we would even be able to have this discussion now without mobile cutting into Flash. A quick count on statcounter indicates we have about as many people browsing with Firefox as on all mobile devices. Firefox can make it so not just the mobile version of the site is Flash free.

Post by g***@gmail.com
Most sites that I view nowadays look totally fine if Flash are blocked.

I don't see this being substantially different from the click-to-play being implemented for other plugins (except affecting more sites). As you know, the click to play implementation has had some nice refinements since that test.

Post by Benjamin Smedberg
That's true, but does it matter? You can view the content correctly
without a binary plugin.

I see that as a temporary workaround, and the longer term goal being have everyone code in HTML/CSS/JS directly. I want Flash to stop being used on the web, not just in Firefox.

Post by Benjamin Smedberg
As for the question of whether and how we'd do fallback, we don't know
yet. We might not decide to do automatic fallback but require a click to
activate in those cases: that should fix the drive-by case and fix the
advertising landscape without unduly affecting other content. We still
need to experiment with that once Shumway performance and compatibility
is farther along.

I guess I've had a similar experience (automatic fallback) with Gnash and Lightspark and found it very lacking. Slightly broken content is much more jarring (to me at least) then the Click-to-play view.

Anyway, I'm happy to do the work to get us some hard telemetry data on this as you described previously. (I might start with top sites just to double check feasibility.) What results would change your mind about this? (aka how many broken sites are considered acceptable)

Thanks,
Bryan

Benjamin Smedberg

2014-06-03 15:13:21 UTC

Post by g***@gmail.com
I agree that we can't treat it like any other plugin right now, but that should be our goal to get to that point?

If the cost/benefit is right.

Post by g***@gmail.com
Most sites that I view nowadays look totally fine if Flash are blocked.

As a result of that test, yes! The reason Flash is substantially
different is that there is frequently functional Flash which is
completely hidden on a page: used for copy/paste, or for some audio system.

Post by Benjamin Smedberg
That's true, but does it matter? You can view the content correctly
without a binary plugin.

I see that as a temporary workaround, and the longer term goal being have everyone code in HTML/CSS/JS directly. I want Flash to stop being used on the web, not just in Firefox.

I think we might disagree here. As long as we can render Flash content
using standard HTML/CSS/JS (Shumway), I don't think it is/should be our
goal now to get rid of SWF content. We can achieve almost all of our
goals of having a privacy-respecting, fast, standardized, open web and
use Shumway to render existing SWF content.

Post by g***@gmail.com
Anyway, I'm happy to do the work to get us some hard telemetry data on this as you described previously. (I might start with top sites just to double check feasibility.) What results would change your mind about this? (aka how many broken sites are considered acceptable)

The ultimate answer is that we can't afford to die on this hill. If
users leave Firefox because we disabled Flash, then we can't do it. So
maybe if we get to a point where all the major video sites are using
<video> and not Flash, then we can discuss whether click-activating the
remaining functional and advertising Flash would affect Firefox usage,
and test that using our beta channel.

But I don't think there is any evidence that would sway me at least
until youtube is using <video> by default and then we can review the
landscape again.

--BDS

g***@gmail.com

2014-06-04 16:48:16 UTC

Post by Benjamin Smedberg
used for copy/paste, or for some audio system.

Indeed, I have seen it for music streaming sites before.

Post by Benjamin Smedberg
I think we might disagree here. As long as we can render Flash content
using standard HTML/CSS/JS (Shumway),

Indeed, this disagreement is fundamental to why we came up with different plans.

Post by Benjamin Smedberg
But I don't think there is any evidence that would sway me at least
until youtube is using <video> by default and then we can review the
landscape again.

Fair enough. I appreciate the discussion we've had. I'll be back when youtube switches :)

Kind regards,
Bryan

g***@gmail.com

2014-06-11 22:22:03 UTC

Post by g***@gmail.com
I'll be back when youtube switches :)

Which apparently already happened for Chrome/ium.. See: http://googlesystem.blogspot.com/2014/05/youtube-switches-to-html5-player-in.html

(Flash still get's used by some videos - but it tries HTML5 first, most play fine in HTML5)

I think when Firefox turns on MSE on by default we can request YouTube do the same with Firefox*. Current status (in testing): http://blog.mjg.im/2014/05/08/testing-media-source-extensions/

*In my testing (User agent switcher on chrome) it's blocked by user agent not by feature checking.

Chris Peterson

2014-06-02 18:53:21 UTC