There is the universal hate for flash because it was used for ads and had shitty security, but anyone I know who actually used AS3 loved it.
At its peak, with flex builder, we also had a full blown UI Editor, where you could just add your own custom elements designed directly with flash ... and then it was all killed because Apple did not dare to open source it, or put serious efforts on their own into improving the technical base of the flash player (that had aquired lots of technical dept).
> There is the universal hate for flash because it was used for ads and had shitty security
That's only one side of it. Flash was the precursor to the indie/mobile gamedev industry we have today (Newgrounds, Miniclip, Armor Games), before smartphones become ubiquitous. Not to mention some rather creative websites, albeit at the cost of accessibility .
Flash's only fault was it's creators were gobbled up by Adobe, who left it in the shitter and ignored the complaints people had about it's security issues.
Arguably, so is the web. A long series of extremely complicated and constantly changing data formats that are nightmarishly difficult to parse, which has to be done in C++ for speed reasons, combined with a full scripting language, which has to be JIT compiled for speed reasons, combined with 30 years of legacy and a security model that was completely ad hoc and more discovered than designed (e.g. the different variants of the same origin policy). Take that and add on top a browser community that doesn't philosophically recognize any limits on what the web is meant to do, so it just keeps getting more and more APIs until one day both Mozilla and the Chrome team decided to just stop pretending and build full blown operating systems on top of them.
I don't think Flash was harder to secure than HTML itself. People just gave up trying because browser vendors used security to purge the web of anything they didn't control.
Right, so that was exactly what I was thinking when I wrote that. All three of Flash, PDF, and the browser DOM are expansive, ambitious metaformats, containers for every piece of technology that has ever had a bug.
Your take on why Flash didn't survive is more cynical than mine. I genuinely think Apple threw up their hands at the prospect of attempting to solve a security problem on the same scale as the browser itself (something it took them a long time to get a handle on --- along with everyone else --- even after they put the kibosh on Flash).
My memory of this time is getting a bit fuzzy tbh, but from what I remember Google in the first part of the 2010s put Flash inside their renderer sandbox and Safari/Firefox were still lagging on browser sandboxing at that time. I think Adobe had shared the plugin code with Google to make this possible.
There are certainly obvious issues with securing a third party codebase you don't control, and it's likely that the browser makers had more budget to spend on security than Adobe. But there was no technical reason Flash couldn't have been treated as an alternative rendering engine from a sandboxing perspective, and I think Chrome did it. Pepper was an initiative to generalize that. Blink is full of holes as other comments point out and it's only the kernel sandboxing that makes adding new features viable at all.
I'm cynical because when the browser makers talked about phasing out plugins it wasn't primarily security they talked about. This blog post talks about speed and energy usage first:
"While Flash historically has been critical for rich media on the web, today in many cases HTML5 provides a more integrated media experience with faster load times and lower power consumption."
Security isn't mentioned, perhaps because trying to argue that their own pile of C++ was somehow meaningfully more robust than Adobe's big pile of C++ wasn't going to be convincing.
Their writings about this were also very heavy on "open web" ideology, although the SWF format was documented by that point and openness doesn't go well with deliberately wiping out a tech that was voluntarily deployed by 80%+ of websites. If openness means anything it means open to extension, which plugins provided and forcing everyone to use HTML5 did not. When they deprecated NPAPI they even sort of admitted to this:
"The Netscape Plug-in API (NPAPI) ushered in an early era of web innovation by offering the first standard mechanism to extend the browser. In fact, many modern web platform features—including video and audio support—first saw mainstream deployment through NPAPI-based plug-ins. But the web has evolved. Today’s browsers are speedier, safer, and more capable than their ancestors."
I always found this blog post curiously worded. It has a Fukuyama-style "end of history" vibe to it. Yes plugins boosted innovation because the web platform always lagged years behind, but now the web has "evolved" and the innovation era isn't needed anymore.
This deserves a better response than I can give. All of this makes sense! I'm just aware of the contemporaneous takes on how hard the Flash security problem was.
> ... and then it was all killed because Apple did not dare to open source it, or put serious efforts on their own into improving the technical base of the flash player (that had aquired lots of technical dept).
IIRC, they couldn't open source Flash due to its use of a number of 3rd party C/C++ libraries that were proprietary.
Adobe's license with these 3rd parties permitted binary-only distribution so it would have meant renegotiating a fresh license (and paying out $$$) for an EOL codebase that had enormous technical debt, as you also acknowledge in your last sentence.
Flex player leaked memory like a sieve. After one day or so it would hang the computer. Maybe it was wrongly written, but leak it did. I have experienced it first hand.
Maybe it was the standalone flex player instead of the web Flash player?
I don't know about a standalone Flex player, I don't think such a thing existed. Maybe you mean standalone Flash player. I didn't use Flex components. I coded in pure AS3. I had critical business code that ran nonstop for years on end in AIR on dozens of deployments without memory leaks. Again, I think that badly written AS3 code (or bad components) could definitely take down a player fairly quickly. Garbage collection required you to track and clean up weak references, but it's the same thing in Javascript. You had to know the lifecycle of your components and what you were doing.
It is possible I was holding it wrong. I do not doubt your experience, but it was very easy to write things that leaked memory in Flash, and it was impossible to remove those leaks sometimes. I was part of a project where a lot of effort went into removing references etc and it was still not working. We had to have 2 instances restarting each other. It was a mess. Maybe we can agree those were "bad components".
I blame the runtime. The quality of the code was good. It was not normal.
A few sources of people complaining about the same, some from hn with the same solution I had to adopt, some from CVE, some from users:
I'm in a terrible situation right now where I promised a client a fairly simple web-based game, to be delivered in pixijs. Pixi is great for what it does, and as an old time Flash game coder, I find it mostly does enough for procedural stuff, although it's got its share of quirks, gotchas, bugs and memory leaks. What I didn't think about was how to get prefab vector animations into this game - not sprite sheets, but cut scenes that I wanted to be essentially animated SVGs. So I started to go the Adobe Animate route and found to my horror that it's basically Flash stripped of all its useful tools and riddled with bugs; there's no good way to import those animations as vectors or even as bitmaps into Pixi. Animate's exporter still runs on EaselJS code from 2015 and just spits out badly formed json files that misrepresent the tweens. Worse still, it can't even pack textures correctly or consistently. It appears to size them at random based on what size they are in some random frame. And it crashes anytime it tries to pack a texture large enough to be useful. It's not an understatement to say that Flash 7 or 8, in the early 2000s, was far more advanced and powerful.
So what would have taken a day or two back when Flash was available is now taking a week of hand-writing tweens and animations in raw Typescript, one layer at a time.
Since I happened to write the first canvas-based interactive screen graph code that Grant Skinner partially ripped off to create EaselJS, and since I'm sure he's making a fine living from Adobe licensing it, it's especially galling that I'm still paying for a CC license and this is what I get when I want to use a GUI to make some animations to drop into a game.
It's the first time I've done a 2D game since 2017, and I had over a decade of experience building games in Flash/AIR before that. It's just mind-blowing how stupid and regressed Adobe's tooling has become in the past few years, and how much harder it is to do simple things that we took for granted in the heyday of Flash authoring. There really is still no equivalent workflow or even anything close. I guess that post-Flash, there aren't enough people making this kind of web game content for there to be a solid route without using Unity or something.
I also worked on a number of Flash projects in its heyday. I agree that there aren’t really any close equivalents to its feature set today, but there are some tools like Rive and Lottie that I’d consider modern day reimaginings for many multimedia workflows.
There is the universal hate for flash because it was used for ads and had shitty security, but anyone I know who actually used AS3 loved it.
At its peak, with flex builder, we also had a full blown UI Editor, where you could just add your own custom elements designed directly with flash ... and then it was all killed because Apple did not dare to open source it, or put serious efforts on their own into improving the technical base of the flash player (that had aquired lots of technical dept).