21 February 19, 10:04
Quote:
Microsoft's Edge web browser users a secret Flash whitelist that allows Flash content to run without click to play protection on included sites.
Microsoft Edge, the default browser of Microsoft's Windows 10 operating system, supports Adobe Flash natively. Flash is set to click-to-play in the browser, and users may disable Flash entirely in the browser's settings.
Microsoft releases Flash updates regularly on the company's monthly patch day to fix security issues discovered in Flash.
It came to light recently that Microsoft implemented a Flash whitelist that allowed Flash content to run on 58 different domains without user interaction. Sites on that list included Deezer, Facebook, the MSN portal, Yahoo, or QQ but also entries that one would not necessarily expect on such a list like a Spanish hair salon.
Microsoft limited the list on this month's Patch Tuesday update to just two Facebook entries and enforced the use of HTTPS for these sites after a Google engineer filed a bug report with the company in late 2018.
Full reading: https://www.ghacks.net/2019/02/21/about-...whitelist/