Opting-in to plugins in Firefox

11 April, 2012 § 84 Comments

Whether you hate them or love them, content accessed through plugins is still a sizable chunk of the web. So much so, that over 99% of internet users have Flash installed on their browser. However, plugins can also carry with them extra vulnerabilities and system slowdowns.

A couple days ago I landed an initial implementation of “click-to-play plugins” in desktop Firefox. To see and play with the feature, download a Nightly build of Firefox, go to about:config, and enable the plugins.click_to_play flag.

When plugins.click_to_play is enabled, plugins will require an extra click to activate and start “playing” content. This is an incremental step towards securing our users, reducing memory usage, and opening up the web.

I’m currently working on implementing the ability for plugin activation settings to be remembered on a per-site basis. I hope to get these changes landed within the next week before the deadline for Firefox 14.

If you are curious and want to learn more about our plans for opt-in activation of plugins, you can take a look at the feature page on our wiki.

Tagged: , , , , ,

§ 84 Responses to Opting-in to plugins in Firefox

  • [...] opción plugins.click_to_play en la pestaña about:config. Vía | Ars Technica Más información | Jaws Fuente: [...]

  • [...] Idee hinter dem geplanten Firefox-Feature click-to-play ist ebenso simple, wie [...]

  • [...] to prevent these attacks. As we work on securing Firefox and protecting our users, I implemented click-to-play plugins for Firefox. This feature is accessible through an about:config flag, plugins.click_to_play, which when enabled [...]

  • Hello,

    I love this feature, and I have two questions:

    1. Is it possible to whitelist a domain/subdomain? i.e. “I want flash to be enabled on *.bandcamp.com and *.soundcloud.com”
    2. Where is the always-enable list stored? How can I edit it? i.e. “I have set a site to always enable plugins a site, but want to revoke that”

    Thank you for your great work!

    • msujaws says:

      Thanks! To answer your questions:

      1. Yes, you can whitelist domains, but it is only as you visit them. See http://msujaws.wordpress.com/2012/04/20/site-specific-permissions-for-firefox-opt-in-plugins/ for more information about how to do so.
      2. The always-enable list is stored with the other permissions in Firefox. You can see all of them on one page by going to about:permissions. If you are visiting a site and want to see what permissions you have granted for that site you can right click on the page and go to Page Info -> Permissions tab. Both places allow you to revoke those permissions.

    • Hello again.

      Sorry, but regarding my point 1. I still don’t understand how I can whitelist whole domains, even after reading your second blog post. I don’t want to have to allow each bandcamp site I visit, I want to allow plugin usage on *.bandcamp.com sites. Is that possible?

    • msujaws says:

      I’m sorry I didn’t notice the wildcard subdomain in your previous question. Unfortunately I don’t think we’ve implemented something like that. Sites use subdomains for increased security between users pages since they can restrict cookies to the subdomain, and our permissions requiring same-subdomains is probably related to the extra security that sites implicitly request when they do this.

    • No problem :)

      That’s my understanding too. Since you’re way more familiar with the context than I am, do you think a feature request has any chance, or is it dead in the water? If you feel I could make the suggestion, where should I post it?

      Thanks again!

    • msujaws says:

      Yes, I think it is something that we should look in to. Can you file a bug on bugzilla.mozilla.org for this? Reply here with the bug number and I’ll make sure that it finds the right people.

    • Sure, here you are, with the rationale and a mockup. Hope that’ll spark some discussion.
      https://bugzilla.mozilla.org/show_bug.cgi?id=761840

  • [...] 注1:默认的始终的搜索方式(包括使用搜索栏、地址栏、页面右键菜单或起始页搜索框),现在都默认使用Google HTTPS搜索服务。增加了搜索的安全和隐私性。 注2:可选功能。如果在about:config中启用 plugins.click_to_play :使用插件用户将需要一步额外的点击来激活,才能开始激活利用插件的内容(注3)。这种模式提高了浏览器的安全,并可能在未来在某些情况下推广到默认设置。用户可以设置(注4),每个站点插件的具体使用权限(蚊仔把它叫做“插件权限白名单”,囧~)。 [...]

  • [...] 注1:默认的始终的搜索方式(包括使用搜索栏、地址栏、页面右键菜单或起始页搜索框),现在都默认使用Google HTTPS搜索服务。增加了搜索的安全和隐私性。 注2:可选功能。如果在about:config中启用 plugins.click_to_play :使用插件用户将需要一步额外的点击来激活,才能开始激活利用插件的内容(注3)。这种模式提高了浏览器的安全,并可能在未来在某些情况下推广到默认设置。用户可以设置(注4),每个站点插件的具体使用权限(蚊仔把它叫做“插件权限白名单”,囧~)。 [...]

  • Kaixi says:

    When I open any Youtube video and click to activate the Flash plugin, the video starts as expected but I lose all the mouse controls (play/pause button, full-screen button, etc). I can only get them to work again after clicking anywhere else on the page. Is this a known issue? Should I file a bug?

  • ronjouch says:

    Hello again.

    I noticed two other side-effects regarding file:// pages and plugins
    – The clickable url bar widget allowing running a plugin with no visible part doesn’t appear for pages on my local drive (file:// scheme). Use case: some software I do development for bundles documentation as html frameset, and the html integrates a Java-based search engine. With click-to-play ON, Java doesn’t run, and I am unable to let it run.
    – Additionnally, the Permissions tab being not available for file:// URLs, I am unable to tell the page to “always run” plugins via this other interface

    Am I missing something? What do you think about this? Should I file bugs?

    Thanks again for the help.

    • msujaws says:

      Yes, in general, please file bugs, although for this case I think there are already bugs on file for this. I think it comes down to security constraints for local file access, and associating permissions with an address that doesn’t have good separation between trusted and untrusted areas. In general, file:// treats each folder as a separate domain.

  • L says:

    Upon my stupid mistake, I accidentally clicked “never activate plugins for this site” and now I have no way of re-activating the plugin. Help!

    • msujaws says:

      You can fix this by visiting the website and right-clicking on the page and selecting “View Page Info”. In the Page Info dialog, you can select the Permissions tab, and adjust the permissions for Activate Plugins. Hope that helps!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

What’s this?

You are currently reading Opting-in to plugins in Firefox at JAWS.

meta

Follow

Get every new post delivered to your Inbox.

Join 982 other followers