MICROSOFT'S PANTS web browser has been uncovered as hosting a secret Whitelist file, allowing Facebook to be even more Facebookish than usual.
The… ahem… 'feature' allows Facebook to serve up Flash content without the click-to-play default of other websites.
Regular readers to this site, anyone who has owned a computer and indeed anyone with oxygen in their lungs will recognise what a stupendously dumb move this is, at a time when the rest of the world is trying to rid itself of Flash content as quickly as possible.
Researchers from Google's Project Zero team had already found that the whitelisting system was fatally flawed itself, resulting in Microsoft to cut the number of entries on it from 58 to just two.
The report describes how "An XSS vulnerability on any of the domains would allow bypassing click2play policy" which would let Flash run on any other website, including ones that may have a malicious payload.
This month, Microsoft added a rule that enforced HTTPS encryption, and removed white list privileges from the vast majority of sites, including Deezer and Yahoo but also some really random ones - including a Spanish hair salon.
Have a guess who the two remaining ones belong to? (Clue: It starts with 'F' and ends in tears).
Abode-owned Flash has been crappy-plugin-non-grata for some time, with plans to completely kill it off by the end of next year. Most browsers already block content by default, but it seems that Microsoft didn't get the memo. Or possibly didn't read the memo. Or know about the memo.
As you might expect, Microsoft hasn't said which one it is yet and Facebook hasn't explained why it needs special treatment for something that is inherently making the interweb more dangerous.
Fortunately, nobody uses Edge anyway, and when its rewritten for Edge later this year, it's unlikely that the Chromium community will stand for this kind of nonsense. μ
It's on the naughty Liszt
Three models will debut in September
That's the irony klaxon going off again
This is sucky-sucky for five dollar