Domain Specific Flash Enabling on Firefox

Update: It looks like Flash has been updated to 18.0.0.209, so this workaround shouldn’t be needed. Save it for a rainy day (or the next time Firefox blocklists Flash.)

This big news today is that Mozilla blocked version 18.0.0.203 of Flash because of security vulnerabilities. At the time they blocked it, it was the latest version of Flash available. While this might be great for users, there are enterprises that have mission critical apps that require Flash.

Although you can use the various notifications in Firefox to re-enable Flash (it’s what Firefox calls a soft block), you might wonder how you can make sure Flash is enabled for the specific domains you need it on regardless of the status of Flash security. You can do that using the Firefox permissions manager.

The easiest way to do this is using the CCK2. When you enable all plugins for a domain on the permissions page, it makes sure that Flash and Java work on that domain even if they are vulnerable.

If you are using AutoConfig, you can add this code to your config file:

Components.utils.import("resource://gre/modules/Services.jsm");
Components.utils.import("resource://gre/modules/NetUtil.jsm");
Services.perms.add(NetUtil.newURI("http://some.domain"), "plugine:flash", 1);
Services.perms.add(NetUtil.newURI("http://some.domain"), "plugin-vulnerable:flash", 1);

This will make sure that flash always works on the given domain. If you want to do this inside of your browser, you can check out the Scratchpad.

Note that for security reasons, you shouldn’t enable the vulnerable versions of Flash and Java for any domain that you don’t have control over.

Please note: I reserve the right to delete comments that are offensive or off-topic.

Leave a Reply

Your email address will not be published. Required fields are marked *

7 thoughts on “Domain Specific Flash Enabling on Firefox

  1. Both you and the article you are linking to appear to be late to the party. Flash Player 18.0.0.209 has been released already and it isn’t blocked. However, there was indeed a period of three to four days where the latest Flash version was blocklisted.

    • That’s good to know. At the rate Flash it getting hacked, though, these are still good instructions to have around.

  2. Nor should you enable it this way for any HTTP sites — every such site must be HTTPS to defend against sufficiently powerful attackers. And any sites you enable it for, must only host SWFs you control, that accept an absolute minimum of configuration parameters through HTML’s embedding interface.

    • Firefox doesn’t support separate http/https permssions. That http in the URL above is because the API requires a URI. It’s actually just using the domain.

    • Just btw., totally offtopic:

      Besides the HTTPS Everywhere (Atlas) Firefox Add-on, there’s also the Enforce Encryption Firefox Extension — which uses the (built-in) HTTP Strict Transport Security (HSTS)

      *I suppose that reading Wladimir Palant’s comment, above, had prompted me 2 post (because it is -also- his add-on!..:))

  3. This means that things that used large amounts of money required can be done now with much smaller amount
    of money and time. The first table may consist of your logo and any header information that you wish to include in your web design. Add testimonials or
    evaluations to your landing page.