6

My cable was on the fritz this weekend and I had to visit a friend to watch HBO online. Something weird happened that has been bothering me.

I have disabled the Flash plugin on Chrome, since all websites that I use support HTML5 video playback.

Every other website that requires Flash redirects me to the Flash download page. However, somehow, the HBO website actually redirected me to the chrome://plugins page, which meant that it could detect that I had manually disabled the Flash plugin. Unfortunately, I have no access to the credentials to dig into the JS now.

I found this post on SO. However none of the solutions there (including the accepted one) can distinguish between not installed and disabled.

Does anyone know how JS can detect whether a Chrome plugin is installed, disabled or active? Shouldn't this be completely sandboxed? HBO can already detect incognito browsing, I wonder what the cumulative security impact is of the browser leaking all this info.

EDIT: Adding image: enter image description here

After looking through the JS I cannot find any mention of this type of validation. Maybe it is something that Chrome does, and I'm needlessly worried?

Community
  • 1
Jedi
  • 3,906
  • 2
  • 24
  • 42
  • Very interesting question. Not sure it is on topic, sort of on the edge. Perhaps you could rephrase it to also ask if there is any security implications of your browser giving up this information? – Anders Jun 22 '16 at 06:11
  • I can venture a guess, this concept should work subject to some sensible timings/etc. If flash is detected as installed, load the flash object. The flash object contains some action script which is supposed to dial home to some url with `?flashactive=1` within the first 5 seconds of being loaded which sets a flag in your current session. The page then does an ajax call after 10 seconds to check if the session flag has been set. Redirect if false. – wireghoul Jun 22 '16 at 07:00
  • Isn't it the fact that chrome has flash, the site detected chrome so it sent you to the settings page to enable it? – Dr_Bunsen Sep 18 '17 at 11:50
  • i think if you were in charge of the flash application you could check it. So the flash Application would set some indicator (cookie, etc.) and a Javascript validate it. But otherwise... i don't think you can check it – Serverfrog Nov 17 '17 at 10:50
  • Though the larger question still stands, it turns out that this particular window was a Chrome built-in if a website tried to load Flash content. Of course, [chrome://plugins no longer exists](https://superuser.com/questions/1188795/how-can-i-reach-chrome-plugins-in-chrome-57-or-newer) – Jedi Nov 18 '17 at 01:43

1 Answers1

2

I have banged my head in the wall for awhile with the same question and failed to find a reliable answer in SO or elsewhere. There are ways to tell if a third-party plugin (like an add blocker) is limiting your flash, but in the case of flash being disabled by the user (or default browser setting), I suppose it is too much of a security breach to give this info away.

I looked at the Adobe flash-testing page and saw how they seem to be doing it - hope it brings some clarity: They check the client's browser and OS versions and make an assumption based on this data whether flash is disabled, or not installed at all. If you want - inspect their page and look at polarbear_browserdetect.js and swfobject_util.js.

Anders
  • 64,406
  • 24
  • 178
  • 215
Brevering
  • 21
  • 2