To be clear, by "blocked" Flash we really mean enforced click-to-activate. User choice is always a #1 priority at Mozilla.
We regularly block vulnerable plugins. What made this block different was that we did it before Adobe made an update available. Now that Adobe has released an update, it is no longer true that every version of Flash Player is blocked in Firefox.
However, we're glad to see the conversation this has sparked. Personally I align with Alex Stamos regarding Flash, in the thinking that a formal EOL would be great.
I'd also like to use this space to make a shameless plug for Shumway, a project set on building a faithful an efficient renderer for the SWF file format without native code assistance. Ending Flash doesn't need to mean an end for Flash media. http://www.areweflashyet.com/shumway/
Technology should be replaced by better technology. To give you some background: I've written games for all kinds of platforms: PocketPC, Windows Mobile, (Desktop) Windows, Linux, OS X, Flash (AS3), HipTop, J2ME devices and some smaller proprietary devices.
Some of those platforms offer write once, run everywhere. On other platforms every device has it's own quirks and you have to test on every device and implement workarounds.
You might not like Flash, but it is great at running on every platform/browser with the same code base. If you test it on one platform, it runs on all others. (Adobe is also very good at keeping it backwards compatible)
Now, I ask you, what's the alternative for Flash? Does HTML5 offer write once, runs the same on every platform/browser(version!)? No it doesn't, and it never will. Even simple HTML pages are full of browser checking hacks.
Now, if you can offer a programming platform where the games I develop on, run exactly the same on every browser, on every platform, I have no problem killing Flash. But let's be honest here, only plugins can guarantee such a thing.
As to Alex Stamos, the top games on Facebook are all Flash. You know why? Because developers don't have to worry whether or not those games will run inside the users browser. Because once Flash is installed, they will run without issues. HTML5? No such guarantee.
So before you declare EOL, please have a proper alternative, where I don't have to pull my hair and cry all night because browser X on platform Y version Z seems to break the end boss of level 5 in my game because its implementation slightly differs from all the rest.
While I do understand where you are coming from - it can be more convenient to target a single implementation - the fact is that Flash has not been what you describe, for a while now. Flash officially announced it would no longer support Linux, and Flash is not usable in most mobile browsers either, for example.
Even plugins can't really get you what you want here. Yes, HTML5 has limitations, as you described, but plugins aren't the solution. HTML5 is closer, and moving in the right direction at least.
Mobile doesn't need browser plugins, because it has apps. AS3 compiles to Android and iOS, just as it should. So I agree with Adobe that mobile doesn't need to support Flash. BTW, the same AS3 codebase for Flash runs as mobile apps. Do the HTML5 games support all versions of all browsers on the most popular mobile devices? Not on mine at least :(.
One codebase, runs everywhere, Flash in the browser, apps on mobile devices. Personally never had an issue with it.
Although I must agree with you that it's sad Adobe dropped Linux support.
koonsolo is right on with all his points. Flash is better then HTML5 all around.
Though personally I can understand why Adobe dropped support for linux, the market is just too small. Even though this community probably has a higher percentage of linux user then just about anywhere.
Yeah and this community is made up by mostly developers. To turn your back on developers is shooting yourself in your own foot. However, that is not what adobe are doing. They have signalled their intention to sunset flash themselves for a long time.
Plugins allow you to more easily experiment with different distribution methods, languages, etc. Flash, Unity, the JVM, etc, all have areas that they're much better at, such as tooling support, language support, etc. Sticking everything in a monoculture is a terrible idea.
Flash isn't part of the Web. It's not vendor neutral.
If Adobe decides to deprioritise a platform that mean the users of that platform with experience less support in terms of bug fixes, performance and security. If Adobe decides not to support a platform period that means users of that platform are left without a means to access Flash content.
If you are a user this is unacceptable. More importantly these things have already happened.
I fully agree with you. But like I said, if technology is replaced, it should be replaced by better technology.
For websites, HTML5 offers enough to be considered a proper alternative. Yes, I probably dislike Flash websites as much as you do.
But for games, HTML5 just doesn't cut it compared to Flash (or yes, even Java applets as someone else mentioned ;)). And the sad truth is that by design, each browser vendor will have it's own implementation with it's own quirks.
(I seem to be getting a lot of down-votes on my original post, although I don't think I said anything incorrect)
I think the issue is with the 'better technology' bit. Flash simply isn't a better technology than HTML5. They are, as they say, a land of contrasts, each with their own strengths and weaknesses. But where HTML5 is moving forward, steadily improving, Flash is actually getting much worse with time, supporting an ever-smaller proportion of the net, and doing so with less stability and security.
The Web is better, it's vendor neutral and not depended on whims of Adobe. Sure it may not be convenient for developers but as a user it's very convenient.
> If Adobe decides to deprioritise a platform that mean the users of that platform with experience less support in terms of bug fixes, performance and security.
Case in point, OSX. Wasn't until Flash v11 that OSX had hardware-assisted playback.
Hi, while I got your point and mostly I agree with you, I just have a question.
Now when WebGL is widely adopted why you can create your games using that technology? Or even compile your C/C++ games with asm.js. I saw very nice demos in the past.
For simple 2D games (like most of the Flash games), I saw very nice Flash-friendly libraries like Phaser[0] (based on Pixi.js).
I went to that phaser.io url, and when clicking on the examples, I see a background with nothing on it. I don't know if it has to show something animated or not. I pushed the 'Run code' rocket button, but still nothing shows. How do I make it start?
This is in Firefix 39.0, Windows.
Let's try IE, I'm curious. I need to click 'Show all content' at the bottom, and after that I see the animations. I tried the 'virtual joystick dpad' example and it works. But the cutouts of the joypads seem off. You can see their rectangular cutout, got the impression transparency isn't working properly, but also possible it was designed that way. But I don't think so because the screenshot of that example doesn't have it, so I guess it is a platform issue.
One more go, my iPhone: It doesn't scale properly, way too big for my screen. Can't zoom out or scroll. But the animations seem to run in the corner of the screen that I can see. Same transparency issue as on IE.
And let's be honest here, those examples are pretty basic and simple.
Do you have any interest an organizing an effort, along with Facebook's Alex Stamos and other folks, to plan a formal EOL for Flash? Of course, the steps Mozilla and others have taken help, but perhaps a more organized movement could get other thought and market leaders on board, trigger higher rates of HTML5 adoption and foster the bits of remaining innovation that are needed to fully replace Flash on the web.
Also, does Firefox plan to address the concerns brought up about Hello, and, more importantly, Pocket?
To avoid inflaming the situation, I have deleted my erroneous (sibling) comment after @aroch's reply. I was not aware that Pocket sent no data without opting in.
> The choice is to install it by default and make users opt-out, giving the uninformed users' data to Pocket (and thus their "partners")?
Except no data is sent to Pocket unless you actually opt-in to the service by signing up. Unless you login to Pocket the plugin and all its communication code is inactive... It is fine ti not like the integration but spreading FUD is annoying
Data doesn't go to pocket until you start using it, and even then, you have to click through a few pages to get there. Pages which make it abundantly obvious that its a third party service.
Mozilla did user testing before integration and found that people do want it. Remember that techies complaining on HN doesn't mean that the majority doesn't like it.
It's not different from the privacy implications of having Google/Yahoo as a default search provider. It's a nice feature that (very visibly) uses a third party service instead of being part of Firefox Accounts.
"Mozilla did user testing before integration and found that people do want it. Remember that techies complaining on HN doesn't mean that the majority doesn't like it."
I'm really not convinced by this as an argument. People might like all sorts of harmful things, once they see them. And the fact that people might want something that provides the functionality that Pocket provides, or something like it, doesn't mean that using Pocket specifically is a good idea.
This is an argument against "users didn't like it", not in itself a reason to use Pocket. Though if you couple this with the fact that Pocket integration isn't much different from search does help its case.
I was advocating for this yesterday in /r/sysadmin and this morning it was a pleasant surprise to hear that this actually happened. I imagine you're getting all sorts of complaints from advertisers and others, but its the right move. The web is simply dangerous and having an unaccountable closed source binary happily running anything served to it is just crazy.
I'd love it if you kept it like this and implemented a flash whitelist function. Flash needs to be treated like Java: its legacy tech that should be used only via whitelisting. Google is too embedded into the marketing and advertising world to ever consider doing this in Chrome. Its really up to you guys, per usual, to save the web.
Removing registration on Hello servers and WebRTC altogether is not stupid if you give a shit about your privacy, look at the leaks WebRTC provides, local IPs which are great for fingerprinting, real IPs from behind VPN, etc. It's one big gaping privacy nightmare so far, so it's pretty reasonable to have it disabled, until this gets sorted out at least.
Fortunately it can be toggled off in about:config easily.
Set loop.enabled = false to disable hello, set media.peerconnection.enabled = false to disable WebRTC. If you don't want pocket, set browser.pocket.enabled = false.
You can even make yourself one big user.js file to fix the bad ideas that have been added to Firefox lately. Mozilla still has a good thing going for them, and that is user choice. However stupid the defaults get.
Right. It's like the "just hit delete" line from spammers, and the invisible "x" boxes to reject "shared" posts in Facebook.
Firefox doesn't even predefine some of the things in "about:config" that need to be set to turn off some of these undesirable features.
There's IceCat, a GNU fork of Firefox without all the proprietary extensions.[1] It may start getting more traction as Mozilla puts more junk in the browser.
It's a real pain, but they want the less sophisticated users to be able to take advantage of all the latest stuff and if Chrome or IE is shipping with it enabled, they have to compete. Well, that explains WebRTC at least. As for the other stuff...
I'm a Pocket user, but I have no idea why that needed to be integrated into the browser, seems like an insane decision to me. I hope they got a good pay day out of that.
Same as the history based advertising tiles. Sure, it's checked locally, it still seems creepy and annoying... but again, browser.newtabpage.enhanced = false.
Unless we lose this level of user choice, I don't see a better alternative. It would be nice if someone would ship some tool to automatically update a user.js file, however, I think many of us have different opinions about what feature we do and do not want enabled in our browsers.
Off by default lets everyone choose to turn it on if they're interested. It also might clue in Mozillas devs that if they want people to turn it on, a setting in about:config isn't the only place you should be putting the button.
Off by default is neither removing user choice, nor is it preventing Mozilla from saying they ship with feature X. It is the right way to present it.
> Off by default lets everyone choose to turn it on if they're interested.
It lets more sophisticated users choose. Less sophisticated users however will more likely switch to a different browser the moment a site doesn't work before poking through settings.
I think a better way than a separate setting would be to go in the direction of many software firewalls and present it to the user as a choice when an application requests it as many browsers currently do with the location APIs. This would provide individual domain-level control over what permissions sites are granted by you. I don't know why this sort of policy seems to be restricted only to the location APIs...
I agree with a lot of this, but not turning off WebRTC in general. Certainly you should turn it off (or force TURN only) if you're trying to hide your IP behind a VPN. But IPv6 already causes you to lose the same amount of privacy as exposing your IPv4 address behind a NAT, so it seems somewhat of a lost cause.
I still think WebRTC enabling peer to peer connections is better than running all of your data through a third party server.
> But IPv6 already causes you to lose the same amount of privacy as exposing your IPv4 address behind a NAT, so it seems somewhat of a lost cause.
Extremely few people have active IPv6, it seems unlikely to catch on now. In addition to that, IPv6 privacy extensions may allow a solution to this problem for many users, but if their link local IPs are also published that may lead to further trouble, depending on configuration. Remember though, this leaks all interface IPs, I have many virtual machines installed with their own network adapters added to my system, VPN adapters, etc which also leaks data as all of those adapters will have v6LL IPs on them even if they're not in use.
Additionally, this issue is already actively being used for fingerprinting. Not some exploit of tomorrow. There was a New York Times advertiser caught doing it a few days ago.
> I still think WebRTC enabling peer to peer connections is better than running all of your data through a third party server.
Yeah, which is why I encourage disabling it completely. Until either they fix the privacy issues or the value of using some WebRTC application appears to trump them to you.
IPV6 isn't going anywhere: IPV4 exhaustion is a real concern and with the internet / internet of things growing, the only place to grow is really the IPV6 space. NAT only delayed the inevitable.
Yeah, I know, many OSes do already prefer it by default. I see more pushes for CGN than I do for IPv6 as a solution to IPv4 depletion though, it just seems dead in the water, in my country at least. Maybe your ISPs are better, but no locally available ISP will offer me native v6, it's either real v4 or CGN v4.
>Extremely few people have active IPv6, it seems unlikely to catch on now.
Except that over 20% of the United States has IPv6 connectivity. In fact, you might be using it without knowing (most mobile providers have it now, in fact some use IPv6->IPv4 translation methods) [1].
>Remember though, this leaks all interface IPs
Does it? Maybe you should file a bug so that only routable interfaces and non-LL IPs are used. This does seem like a problem.
> Except that over 20% of the United States has IPv6 connectivity.
The entire rest of the world has near-zero, just look at your own link. I'm in Canada and we have 0.55% here. No local ISP will offer it to me, and the one that did withdrew it completely last year. So perhaps I'm just slighted. There are a few other countries with 5%+ but it still makes up only a very small percentage of internet users. To top it off, while there has been some IPv6 adoption in the US, CGN has also caught on pretty heavily all over the world and seems to be, sadly, the solution most ISPs will actually go with for the near term at least.
> Does it? Maybe you should file a bug so that only routable interfaces and non-LL IPs are used. This does seem like a problem.
https://diafygi.github.io/webrtc-ips/ is able to immediately reveal all the VM interfaces on my system even with no VMs using them. I suspect this is done so that faster routes may be established, but it is indeed a major problem for anyone who doesn't like fingerprinting.
Oh please don't remove pocket, this is one of the awesome feature of Firefox along with Tree Style Tab (and if it was just me I would add Tree Style Tab by default as well)
(And of course I go against the public opinion here on HN, but I wonder how many people did actually use Pocket before trashing it?)
It's debatable but I think something like pocket is fundamental to a 2015 browser experience. The bookmarking system has been bad since its beginnings.
These need to be disabled by default, and the steps you list should be taken by people who want to enable them.
If a masochistic user wants to navigate the labyrinth of dark patterns meant to confuse them into not understanding that the "Additional tools and features" category is also the "completely disabled features that run nothing in the background" category (why would anyone think that, ever?), then they can go ahead and do it. If these things are so great, then I'm sure users would be happy to put that extra work into enabling them. After all, it's 3 simple intuitive steps!
For some reason, I keep having to do that - it doesn't stick. And every version brings more unwanted toolbar buttons I need to remove. I'm seriously considering looking into building a version of Firefox with them patched out altogether.
Just out of curiosity, how will removing Pocket integration and Hello (a thin UI over WebRTC) personally? Both are lazy-loaded, so the only bloat they add is "visual bloat". This behavior is seriously disappointing from the Firefox community.
I've been using Pocket since it was Read It Later and I was pleased to see it integrated into the browser. Mozilla is working on a Reader mode[0] but it does not seem to be ready for public consumption yet (despite landing in 2012). Most people don't even know it exists, and it obviously does not save it for later (unless you bookmark it). The implementation is open-source (MPL license), although Pocket itself is proprietary. Hotword detection is not absolutely necessary for browser functionality, yet I hear no chorus of complaints from Chrome users. Should Mozilla be prohibited from partnering with proprietary third-parties whether or not it benefits their users?
Hello is even less of an argument. Firefox Hello is a simple Javascript UI for the existing WebRTC spec supported by Firefox, Chrome, and Opera[1]. It allows people to communicate without having to set up accounts, sign-in somewhere, and works against the platform lock-in of proprietary services such as Facetime, Hangouts, and Skype. If it's disabled by default, the service becomes useless. My parents shouldn't have to enable it about:config for me to talk to them, nor should they have to download another plugin to use a technology built-in to the browser. I understand the security implications[2] in IP leakage[3], but I don't see a simple fix that doesn't neuter the functionality (although this comes close[4]). W3C has stated their position on fingerprinting[5], but at least Mozilla is actively working on the issue.
I noticed this behavior when I fired up an older Mac I hadn't used in a year or so, it was refreshing that Flash always required click-to-activate, and I made this the setting on all my machines a while back and started suggesting to my friends to.
Some websites' video don't work as well, they have JS or CSS that interfere, or assume that you don't have flash installed, or retaliate as if you are an ad blocker, so I'm glad to see this is becoming more widespread, those problems may be fixed.
Is Shumway a possible replacement for Scratch 2's flash implementation? They seem to think that there are some flash things that just can't be done without flash:
Unimplementable Features on iOS: Image effects for whirl, fisheye,
mosaic, and pixelate. Sound and video input for loudness, video
motion, and touching colors from the video.
The next time this happens can you please disable it entirely?
The things on my site (video, some ads) that use flash will fall back nicely to HTML5 is Flash is disabled, as will most of the web. Click to activate is the worst of both worlds.
That's completely technically meaningless without EOLing NPAPI, and Google's currently the only people brave enough to do that. Firefox's EME implementation is strictly less of a threat to your privacy than the current status quo, by design.
NPAPI has its own privacy and security and stability reasons to meet a swift doom, even independent of the DRM question.
The web has become an application delivery platform, like it or not. While there are arguments against forcing DRM on consumers, for video production workflows and project management, DRM is a necessity. I'm assuming you've worked with private Github repos with access control, right? Same idea.
How are private Github repositories using the same idea? Normal access controls are just implemented at the data source, limiting read (or write) there. DRM is implemented in the hardware of the user so that some programs that the user uses can access the data, but not those programs fully under control of the user.
If you can access a Github repository then you can do so with software fully under your control (and hence make copies of the data as you wish). Did I miss something?
Okay, so maybe not the best analogy. Contact access expiration via git is far more primitive, sure - if you have access today you can clone a private project and have a snapshot of it in that state, once your access rights are revoked you just won't see any further work. Unfortunately, this 'freedom' leads to far more problems than it solves - horrible corporate bureaucracies around where you may or may not check code out to, remote wipe capability, contractor laptops, etc. There are many real-world use cases where, in order to accomplish the completion of a project, you need to provide an external resource with access to sensitive data for a limited amount of time. Think manufacturing, commercial video production, medical data, game development - pretty much anything where you outsource a specific phase of product development to a third party. Without DRM, these workflows are limited to online-only, where assets are streamed and can't be stored locally. This is a dealbreaker when, for example, you need to send part specs to a manufacturer in the middle of China.
>There are many real-world use cases where, in order to accomplish the completion of a project, you need to provide an external resource with access to sensitive data for a limited amount of time.
Well, then there are many real world use case that are not doable in our version of reality, where data can be copied ad infinitum, and where you NEED to show the end user unencrypted data.
A political necessity, certainly not a technical one. The default state of content is open, restricting it should be seen for the positive (read: affirmatively taken) action that it is.
"To prevent these add-ons from running, click Restart Firefox."
Why doesn't the dialog box have that same explanation? Did you (mozilla) think the two button options "Restart Later" and "Restart Firefox" won't confuse people?
I second this! Tree Style Tab is one of the few addons that I cannot live without. Heck, it is one of the reasons why Firefox is my primary browser.
This feature should be made native and the original developer should be rewarded somehow for his efforts.
One slightly annoying thing i found right now is that if i have a plugin set as disabled in about:addons, it will not show up on the update checker found in the top link.
The (unprivileged) Plugin Check website can't detect disabled plugins because they don't show up in navigator.plugins. Ideally, Plugin Check should be an automatic check built into Firefox. The advantage of the Plugin Check website is that it works in any browser.
Couldn't you preserve the nice trait of working in any browser by having the browser load it with a hash-fragment containing a list of disabled plugins to add to navigator.plugins?
I don't know that it's particularly faster than what can/could be accomplished with svg + JavaScript ...
I think most of the speed as a plugin vs native html/svg/js is that you don't have the whole DOM to deal with (including reflows, etc), and that their ActionScript is a much smaller subset of a language than JS in the browser, AS3 changed things a bit though. Today with canvas and an audio api that mostly works, you can get the same.
What I really wish is that Adobe would create Flash-level tooling with outputs for HTML/canvas/js/web-audio and video.
The tooling was amazing. I used to do a ton of Flash development back in the day, and the ability to seamlessly create the UI and backend code is still light years ahead of the cross-browser nightmare of creating HTML5 apps. I think Adobe has tried to achieve the same level of functionality with other tools over the years (Adobe Edge Suite), but it never really made it to the same level as web application development in Flash.
actionscript (the flash programming language) is pretty much the same as javascript, the main reason why flash is often a lot faster than html+js things in a browser is it is not constrained to a slow, broken DOM for building uis.
I think the answer is probably Tamarin[1] which started life as Flash's ActionScript engine and has since been donated to Mozilla. The Flash Player has also had direct GPU support for graphics and video for many years.
So retrofitting arbitrary layouts onto a ~text document specific one is that much an error. In hindsight I find it fantastic how web pages became the basis infrastructure of all this UX reinvention.
For what it's worth, the shumway racing AS3 demo appeared to work but froze all input like closing or switching tabs for me and I had to kill it with task manager. Windows 8.1, Firefox 39.0.
Why isn't Mozilla spending more time to ensure Firefox is using all of the security resources that the OS gives it? Things like ASLR still aren't enabled by default, let alone plugin sandboxing like what exists in Chrome. While Shumway would be nice, having a reliable, secure way to hook into native code would be a lot nicer.
... alternatives like Google's closed-source Chrome, Apple's closed-source and behind-the-times Safari, and Internet Explorer???
Are you trolling? Are you attempting to discredit the anti-Firefox campaign by trying to say that running Internet Explorer is a reasonable alternative for your Macbook, and that a kernel panic from non-kernel software is somehow the software's fault, not the kernel's??
Job done. No more Mozilla annoyances between me and the content I wish to access. And yes, it was an annoyance because the link to "check for updates" in your message would not get me anywhere. That was a flaw in your strategy that I now suspect was deliberate. I really can't respect engineered annoyances that align with agendas rather than good UX.
I like Flash when it's done well. Raw performance and efficiency is one of the things I like about it. The powerful multimedia handling of everything from audio to video cannot be matched by HTML5. I'm an HTML/CSS/JS dev for my living for 20 years, that's how I know this to be true.
HTML5 video is cute. But it doesn't cut the mustard in all circumstances.
360 video, VR, and many other things will come along that are too much for web technologies to handle. Flash serves a useful purpose in allowing websites to cater to the most demanding cutting edge tech and content without needing the Firefoxes and Chromes of the world to keep up.
"closed source"; "battery drain"; "plugins are just bad".... oh cry me a river.
Holy shit. Flash has over 34 CVEs in one week—and only because a prominent organization that was sitting on a bunch of them got hacked—and you call mozilla taking steps to protect the security and integrity of their customers an "engineered annoyance"?
Performance is better than javascript. But then, who here has done a side by side comparison?
A: Built something in Flash
B: Built the exact same thing in JS and measured their performance side by side in the page, and on separate pages.
Even sliding an image - such a simple thing. Make it whoosh to the left. Guess what? Flash will whoosh it quicker and smoother on browsers with Flash installed.
I love JS, it's cool for web stuff and data fetching and sorting for a huge percentage of the internet. I had a great time with it doing multiple AJAX calls and sorting for a single page thing on a heavy traffic media site. Love the whole promises thing for sorting out those pesky asynchronous dinguses. Yep. HTML5 does indeed rock. Really love modern CSS too. Hate grids though but each to their own. I don't say "grids should die".
JS/HTML is not superman. If you want superman on your webpage, you need something more, such as a plugin.
Unity plugin. I might use that next. I really don't want to be fighting people about the value of plugins, even if that value and scope is reduced from what it is a few years ago, it's still there. I want to make games, and what is clear to me after trying an HTML game is that..... it's pretty much a joke. HTML5 games in 2015 are, a joke.
How dare anyone at Firefox or Facebook put forward an EOL for someone else's technology. EOL your own stuff, not someone elses. Bloody rude if you ask me.
"Flash should die because it has equal performance to native iOS apps". That's what I read between the lines in Jobs' letter. I like Steve Jobs, but he was a player. A chess player. We respect chess players, but they won't hesitate to knife you in-game.
If Flash dies, it's the hate that killed it more than any sensible reflection on the technologies we have available and how they can best be used.
If nothing else, hope I've added more comedy for you.
And yet, my system is squeaky clean, and has been for years.
And shock horror, I don't even have a virus protection program installed. I install one ever 12 months or so. Actually I install a few at one time to be thorough. Do a complete scan, and of course it comes up 100% clean, then I uninstall all of them and get on with work.
Continue being paranoid and using up CPU cycles to serve your paranoia while I enjoy a lighting fast workstation. The choice is yours. Choice is good.
When I was student, I didn't buy games. I downloaded them. Got malware and worse even with virus protection. I buy games, since about 2002 I just buy the software I want. No virus/malware issues here.
To be clear, by "blocked" Flash we really mean enforced click-to-activate. User choice is always a #1 priority at Mozilla.
We regularly block vulnerable plugins. What made this block different was that we did it before Adobe made an update available. Now that Adobe has released an update, it is no longer true that every version of Flash Player is blocked in Firefox.
However, we're glad to see the conversation this has sparked. Personally I align with Alex Stamos regarding Flash, in the thinking that a formal EOL would be great.
I'd also like to use this space to make a shameless plug for Shumway, a project set on building a faithful an efficient renderer for the SWF file format without native code assistance. Ending Flash doesn't need to mean an end for Flash media. http://www.areweflashyet.com/shumway/
Edit: typo