If you disable Flash on Microsoft Edge, Microsoft ignores your setting — but only for Facebook’s domains. It sounds too conspiratorial to be true, but a number of generally reliable websites confirm it.
Bleeping Computer: “Microsoft’s Edge web browser comes with a hidden whitelist file designed to allow Facebook to circumvent the built-in click-to-play security policy to autorun Flash content without having to ask for user consent.”
ZDNet: “Microsoft’s Edge browser contains a secret whitelist that lets Facebook run Adobe Flash code behind users’ backs. The whitelist allows Facebook Flash content to bypass Edge security features such as the click-to-play policy that normally prevents websites from running Flash code without user approval beforehand.”
A dangerous deception
Flash is obsolete technology. Adobe, which owns Flash, has said so itself. Security flaws keep popping up in the ancient codebase. It’s especially risky on sites which allow third-party content, such as Facebook. Huge numbers of people (including me) have disabled Flash in their browsers, with good reason. But Microsoft has decided to deceive and endanger users.
Edge, according to ZDNet, whitelisted 58 domains and subdomains until very recently. A Google security engineer discovered the secret whitelisting and determined that it exposed users to cross-site scripting exploits. Microsoft dropped most of the whitelist but, for unknown reasons, decided that exposing Facebook users to risk without their consent is OK.
The article speculates that it’s to allow Facebook’s legacy Flash games to work. This doesn’t sound plausible. Why not just let users whitelist Facebook if they want those games and are willing to take the risk? It’s more plausible that supporting Flash ads is the real reason.
The old list, according to Bleeping Computer, included domains like dilidili.wang, totaljerkface.com, and stupidvideos.com. As Dave Barry would say, I’m not making this up.
This tactic puts a huge dent in Microsoft’s credibility. If they’re willing to deceive you about a “No flash” setting, why should you believe them when they say they won’t hand over your personal data? At the very least, it’s a good reason to stop using Edge and switch to some other browser.