Flash was a bigger privacy hole than HTML5 canvas. I think we need to mandate browsers that block those APIs on default and only enable them via permission. <canvas> is often used in fingerprinting. So blocking its introspection APIs would already benefit us.
Flash was basically a remote shell with some animation tools on top. The Windows malware hell of the early 2000s, with random websites (even a banner ad on the New York Times once) doing drive-by-installs of early ransomware. (Thankfully, cryptolocker ones hadn't started yet...) And if you were a Windows escapee, the Flash experience was absolute trash on OS X and Linux.
It also became clear that the source code was borderline unmaintainable and/or Adobe lost everyone who knew or cared about it after they bought Macromedia.
That sounds like a big deal until you realize that nothing was private back then.
Most internet traffic wasn't even over SSL. It wasn't enforced until 2018!
No CORS (first standardized in 2014), no cross-site protection (first standardized in 2012).
Everything was the Wild West.
Flash was fine and could have adopted the same mechanisms.
If Adobe (or the earlier owners) had open sourced the player and the format standard, they could have won and had the best authoring tool for the format.
To this day, Flash is the only downloadable binary bundle format that can still run on your PC after being downloaded. You can't download and SVG animation. It's a bundle of brittle web tech slop.
> No CORS (first standardized in 2014), no cross-site protection (first standardized in 2012).
This is not correct. CORS doesn’t protect anything, it removes security barriers. The same-origin policy that stops cross-site requests goes back to the 90s, it’s been in there about as long as JavaScript.
