[marshray]

When we data security advocates discuss things like promiscuous trust among SSL certificate authorities and one-click scary page bypass features with browser vendors, inevitably the old adage comes up "no vendor is willing to lose market share by making its security policies more restrictive than the others".

Perhaps this is a test case trying to break out of the old status quo?

Disclaimer: I recently accepted a position at the big M itself.

[dspillett]

Apple broke that status quo by not allowing flash on iDevices at all. They had the advantage of the Steve/Apple "the people like it because we say they should and they think we a cool" super-power though, which MS do not currently poses, and they had both the performance (much Flash code is badly written and would devour battery life) and UI (much flash code that is out there won't work well on a touch-screen interface) caveats which are easier for the user-on-the-street (at least those I've talked to) to get their head around than security & stability problems.

This is though the first test of kicking flash in the teeth in a less restricted environment than the iDevice ecosystem, so it is still a brave move to be the first to do so (time will tell whether it is a brave move in the Yes Minister use of the word "brave"!).

One key fact that will help is that there is a growing perception amongst people who don't even know what Flash is that Flash is an out-dated technology, mainly because of the iDevice thing (if your site/app won't run on my iPad because of this "flash" thing, your flash thing is wrong not my shiny shiny). This will help MS and other browser makers as it reduces the uphill struggle convincing people that losing the feature is not too much to pay for the potential security and stability benefits.

Of course the other key factor will be what sites are on the white-list and how they address not being if they aren't (do they change tech, do they follow what-ever procedure is needed to get on the whitelist, or do they just tell their users "IE10 doesn't work here"?). I can name many video sites that MS won't want to be seen to support and won't want to make changes or pay for certification (or what-ever is needed) in order to get on the white list. A great many people use those sites regularly while pretending they don't know they exist - if those sites don't move to HTML5-video (with the problems that still exist there) or somehow get on the white-list those people might find some reason to switch to Chrome/Firefox/other (or stick with IE9) rather than upgrade to IE10.

[marshray]

But the iOS devices were something of a new market. Was there an established precedent for Flash on mobile at the time?

So banning plugins (including Flash) on a desktop OS browser seems like a significant new move.

[dspillett]

Flash on handsets wasn't the norm at the time, no.

But Apple advertised the iDevices using the phrase "the whole Internet", which to many very much includes Flash.

[michaelt]

The iphone/ipad web browsers already don't support flash, so dropping flash support isn't entirely a new thing. I for one am looking forward to its death on more platforms.

[marshray]

Hmm. Reading the linked MS document, it sounds more like they're desupporting plugins more for user experience consistency reasons than security or anything else.