How to use Chrome for k12.com OLS|
The real problem is that k12.com uses 'nefarious' cross-origin Flash plugin content
duckware.com/k12flash -- August 26, 2017 -- Version 1.2a -- Updated Aug 28
Executive Summary: K12.com uses cross-domain Flash plugins in a manner that Chrome considers
'nefarious' behavior -- and as such, Chrome blocks Flash on k12.com. K12.com
improperly blames Chrome for not fully supporting Flash (see popup below). Instead, there are numerous very easy ways
for k12.com to fix this problem, disclosed below. So the real question is, why is k12.com not immediately
fixing this problem -- and instead doing nothing, blaming Chrome, and stating on a Chrome bug website that
K12 ChromeOS customers will be "SOL"?
It should take K12 less than one day to implement a workaround that would allow Chrome to once again work!
Your problem: Chrome no longer works to access k12.com OLS (online school).
K12 blames Chrome: When I sign into OLS, k12.com claims that Chrome no longer
"fully supports" Adobe Flash in a popup (seen below). But is that the whole truth?
Background: Flash (a proprietary web browser plugin) that k12.com uses, is being intentionally
killed off by Adobe, the creator of Flash
(with help from the web browser companies) and being replaced by HTML5, an open standard -- because Flash is,
plain and simple, NOT SECURE (Flash is a key way that viruses infect your computer)!
So this transition to 'no flash' is hitting some companies (who have not properly planned) really hard,
like k12.com, who have done nothing so far to eliminate their use of flash.
The whole truth: The whole truth is that K12 is using Flash in a way that looks nefarious
(cross-origin flash content and "hidden" flash content -- the technique malware uses to spread so fast),
and because of this, Chrome intentionally blocks that use of Flash for your safety! This blocking of
'nefarious' flash content is something that k12.com knew about for YEARS, and clearly
did nothing to fix the problem:
cross-origin: A web page from one domain accessing/displaying a plugin from a different domain
Chrome Flash Roadmap
Firefox Flash Roadmap
2015/06/04: Flash content is now click-to-play with Chrome 42
A FIX -- How to use Chrome for k12.com: If you really want to use Chrome for k12.com, you can (but see warning below) -- but this
means enabling nefarious Flash behavior within Chrome for ALL web sites that you allow to use Flash:
2015/08/27: Chrome starts automatically pausing less important Flash content
2015/11/30: Adobe tells developers: 'stop using Flash; move to HTML5'
2016/05/09: Intent to implement: HTML5 by Default
2016/05/16: Google is officially killing Flash in Chrome this year
2016/05/25: Intent to implement: Remove plugin exception for tiny content
2016/07/20: Reducing Adobe Flash Usage in Firefox
2016/08/09: Google announces Chrome 53 will begin to block behind the scenses Flash
2017/06/14: Chrome: Don't load tiny cross-origin plugin content
2017/07/25: Adobe announces 2020 as the end-of-life date for flash
2017/07/25: Firefox Roadmap for Flash End-of-Life
- Visit the "chrome://settings/content/flash" URL. Turn both "Allow sites to run Flash" and "Ask first" ON
- Visit the "chrome://flags/#run-all-flash-in-allow-mode" URL. Change setting to "Enabled"
What Chrome deems nefarious: "any cross-origin plugin content smaller than 400px in width
or 300px in height" -- So, small cross-origin Flash (exactly what k12.com does) is the problem.
WARNING: This 'flags' workaround will soon be phased out in Chrome 61 (on Sep 5), but it
proves that the problem is with k12 (for using nefarious Flash content), not Chrome.
UPDATE: Chrome added a 'RunAllFlashInAllowMode' policy into Chrome
63.0.3227.0, but this setting will only benefit enterprises with computers that sign into a
An EASY short-term solution:
There is another CRAZY EASY short term workaround that allows K12 to maintain
cross-domain plugins (so almost nothing changes in the K12 infrastructure). The
workaround is a very tiny piece of code added into web pages that causes the cross-origin
plugins to actually run in Chrome!
K12 just needs to engage my services for this solution. I already have working
proof of concept code (a cross origin plugin that failed in Chrome, but now works),
and have even tested against k12's login landing page (and got the cross domain Flash
there to run).
Another short-term solution: k12.com must immediately change how it uses Flash
so that it no longer looks 'nefarious' to Chrome. So, either
(1) immediately stop using cross origin flash (EASY - switch to a single-origin), or
(2) make sure that all cross origin flash content is larger than 400×300
OLS uses/is lrnx.k12.com, but Flash content comes from static.k12.com,
which is another different domain (origin). That is the entire problem.
The long-term solution: k12.com must drop Flash immediately and move to HTML5.
k12.com has already had YEARS to plan for this well known and well publicized Flash
phase out -- but so far has failed to take any action.
k12.com must fix OLS now so that all web and Flash content is single-origin (and not
ultra tiny content, which is still blocked)! This will buy k12.com years of time
to implement a long-term solution.
K12 screwed up -- and admits some users are now 'SOL':
K12 is quite simply way behind the times! k12.com still uses Flash, and apparently planned on
using Flash for another TWO years (into 2019)! K12 should have switched over to true HTML5
YEARS ago, but did not!
The blame for 'not keeping up with technology' falls squarely with K12's
Chief Technology Officer.
Take Action: Contact K12 Customer Support
(866-512-2273), and tell them: "K12 no longer works with Chrome because K12 uses cross-origin
Flash deemed nefarious by Chrome. K12 can EASILY fix this problem by making their Flash usage
single-origin". And point K12 to this web page (duckware.com/k12flash)!
"... We have a legacy application that we are planning to completely replace over the next
two years that still uses "hidden" flash objects as part of
it's (sic) infrastructure ... For our
customers on desktops we can just send them to [Firefox] for now - but without an ability to enable
this flag our ChromeOS customers are going to be SOL" -- bken...@k12.com, 2017/08/16
Copyright © 2017 Duckware