How to use Chrome for k12.com OLS

You are here: Duckware » Technology Blog » Using Chrome for k12.com OLS

How to use Chrome for k12.com OLS
The real problem is that k12.com uses 'nefarious' cross-origin Flash plugin content
duckware.com/k12flash -- August 26, 2017 -- Version 1.2a -- Updated Aug 28

Executive Summary: K12.com uses cross-domain Flash plugins in a manner that Chrome considers 'nefarious' behavior -- and as such, Chrome blocks Flash on k12.com. K12.com improperly blames Chrome for not fully supporting Flash (see popup below). Instead, there are numerous very easy ways for k12.com to fix this problem, disclosed below. So the real question is, why is k12.com not immediately fixing this problem -- and instead doing nothing, blaming Chrome, and stating on a Chrome bug website that K12 ChromeOS customers will be "SOL"?
It should take K12 less than one day to implement a workaround that would allow Chrome to once again work!

Your problem: Chrome no longer works to access k12.com OLS (online school).

K12 blames Chrome: When I sign into OLS, k12.com claims that Chrome no longer "fully supports" Adobe Flash in a popup (seen below). But is that the whole truth?

Background: Flash (a proprietary web browser plugin) that k12.com uses, is being intentionally killed off by Adobe, the creator of Flash (with help from the web browser companies) and being replaced by HTML5, an open standard -- because Flash is, plain and simple, NOT SECURE (Flash is a key way that viruses infect your computer)!

So this transition to 'no flash' is hitting some companies (who have not properly planned) really hard, like k12.com, who have done nothing so far to eliminate their use of flash.

cross-origin: A web page from one domain accessing/displaying a plugin from a different domain

The whole truth: The whole truth is that K12 is using Flash in a way that looks nefarious (cross-origin flash content and "hidden" flash content -- the technique malware uses to spread so fast), and because of this, Chrome intentionally blocks that use of Flash for your safety! This blocking of 'nefarious' flash content is something that k12.com knew about for YEARS, and clearly did nothing to fix the problem:

Chrome Flash Roadmap
Firefox Flash Roadmap

2015/06/04: Flash content is now click-to-play with Chrome 42
2015/08/27: Chrome starts automatically pausing less important Flash content
2015/11/30: Adobe tells developers: 'stop using Flash; move to HTML5'
2016/05/09: Intent to implement: HTML5 by Default
2016/05/16: Google is officially killing Flash in Chrome this year
2016/05/25: Intent to implement: Remove plugin exception for tiny content
2016/07/20: Reducing Adobe Flash Usage in Firefox
2016/08/09: Google announces Chrome 53 will begin to block behind the scenses Flash
2017/06/14: Chrome: Don't load tiny cross-origin plugin content
2017/07/25: Adobe announces 2020 as the end-of-life date for flash
2017/07/25: Firefox Roadmap for Flash End-of-Life

A FIX -- How to use Chrome for k12.com: If you really want to use Chrome for k12.com, you can (but see warning below) -- but this means enabling nefarious Flash behavior within Chrome for ALL web sites that you allow to use Flash:

Visit the "chrome://settings/content/flash" URL. Turn both "Allow sites to run Flash" and "Ask first" ON
Visit the "chrome://flags/#run-all-flash-in-allow-mode" URL. Change setting to "Enabled"

WARNING: This 'flags' workaround will soon be phased out in Chrome 61 (on Sep 5), but it proves that the problem is with k12 (for using nefarious Flash content), not Chrome.

UPDATE: Chrome added a 'RunAllFlashInAllowMode' policy into Chrome 63.0.3227.0, but this setting will only benefit enterprises with computers that sign into a Windows domain.

What Chrome deems nefarious: "any cross-origin plugin content smaller than 400px in width or 300px in height" -- So, small cross-origin Flash (exactly what k12.com does) is the problem.

An EASY short-term solution: There is another CRAZY EASY short term workaround that allows K12 to maintain cross-domain plugins (so almost nothing changes in the K12 infrastructure). The workaround is a very tiny piece of code added into web pages that causes the cross-origin plugins to actually run in Chrome!

K12 just needs to engage my services for this solution. I already have working proof of concept code (a cross origin plugin that failed in Chrome, but now works), and have even tested against k12's login landing page (and got the cross domain Flash there to run).

Another short-term solution: k12.com must immediately change how it uses Flash so that it no longer looks 'nefarious' to Chrome. So, either (1) immediately stop using cross origin flash (EASY - switch to a single-origin), or (2) make sure that all cross origin flash content is larger than 400×300

OLS uses/is lrnx.k12.com, but Flash content comes from static.k12.com, which is another different domain (origin). That is the entire problem.

k12.com must fix OLS now so that all web and Flash content is single-origin (and not ultra tiny content, which is still blocked)! This will buy k12.com years of time to implement a long-term solution.

The long-term solution: k12.com must drop Flash immediately and move to HTML5. k12.com has already had YEARS to plan for this well known and well publicized Flash phase out -- but so far has failed to take any action.

K12 screwed up -- and admits some users are now 'SOL': K12 is quite simply way behind the times! k12.com still uses Flash, and apparently planned on using Flash for another TWO years (into 2019)! K12 should have switched over to true HTML5 YEARS ago, but did not! The blame for 'not keeping up with technology' falls squarely with K12's Chief Technology Officer.

"... We have a legacy application that we are planning to completely replace over the next two years that still uses "hidden" flash objects as part of it's (sic) infrastructure ... For our customers on desktops we can just send them to [Firefox] for now - but without an ability to enable this flag our ChromeOS customers are going to be SOL" -- bken...@k12.com, 2017/08/16 Source

Take Action: Contact K12 Customer Support (866-512-2273), and tell them: "K12 no longer works with Chrome because K12 uses cross-origin Flash deemed nefarious by Chrome. K12 can EASILY fix this problem by making their Flash usage single-origin". And point K12 to this web page (duckware.com/k12flash)!