Chrome 60: Flash No Longer Permitted to Access Microphone and Camera On Insecure Origins
July 2018 edit: made it more clear that this change applies to the Flash plugin as HTML5 mic/webcam access was already restricted to https and localhost since Chrome 47.
Starting with Chrome 60 microphone and camera access is no longer permitted to the Flash plugin on insecure origins (http).
Initially reported as a potential bug it was confirmed in the 3rd comment by a Chrome developer that this behaviour is expected. It was a deliberate decision to deprecate camera and microphone access on insecure origins.
The closing of a Chromium issue, that was referring to flipping the kRequireSecureOriginsForPepperMediaRequests
to be enabled by default, confirms this. Pepper Flash is the variant of Flash plugin used by Chrome.
According to this article, along with the camera and microphone access, other powerful features have been deprecated on insecure origins: geolocation, device motion/orientation, EME, AppCache and notifications.
HTML5’s getUserMedia()
was already limited to secure origins since Chrome 47 in 2015 (source 1 source 2).
The change was not visible to the majority of users until the release of Chrome 60 on the stable channel on the 25th of July.
In Chrome 60, when Flash tries to access the camera and microphone from insecure origins, a message is shown in Chrome’s developer console:
Microphone and Camera Access No Longer Works On Insecure Origins. To use this feature, you should consider switching your application to a secure origin, such as HTTPS. See https://goo.gl/rStTGz for more details.
What Can Be Done
We strongly recommend switching your website, where you have Pipe embeded, to secure origins (https).
localhost is considered secure so webcam/mic access will continue to work when you test locally.