Opting-in to plugins in Firefox
11 April, 2012 § 84 Comments
Whether you hate them or love them, content accessed through plugins is still a sizable chunk of the web. So much so, that over 99% of internet users have Flash installed on their browser. However, plugins can also carry with them extra vulnerabilities and system slowdowns.
A couple days ago I landed an initial implementation of “click-to-play plugins” in desktop Firefox. To see and play with the feature, download a Nightly build of Firefox, go to about:config, and enable the plugins.click_to_play flag.
When plugins.click_to_play is enabled, plugins will require an extra click to activate and start “playing” content. This is an incremental step towards securing our users, reducing memory usage, and opening up the web.
I’m currently working on implementing the ability for plugin activation settings to be remembered on a per-site basis. I hope to get these changes landed within the next week before the deadline for Firefox 14.
If you are curious and want to learn more about our plans for opt-in activation of plugins, you can take a look at the feature page on our wiki.
JAWS 
This feature is wonderful and should have been implemented a long time ago. An old version of the Dolphin browser for Android already has this implemented and it works great.
As someone very invested in the issue of web-based malware, I appreciate the intent behind this proposed change. That said, I think the usability cost in this case does not justify the security benefit. There’s a reason that 99% of computers have Flash installed: Flash is an integral part of many, many websites. We shouldn’t be adding obstacles to users experiencing sites the way they were intended to be experienced. Furthermore, “alert fatigue” (a term I’m borrowing from the medical world) is already a problem that leads users to blindly click “yes” or “ok” without fully processing what they’re agreeing to. In this instance (as in many), it’s not even clear that mainstream users will have a reasonable basis for making an informed decision about whether or not it’s safe to enable the objects.
Looking at it more from a user control standpoint, if a user chooses to install and enable a plug-in, that plug-in should be able to display content by default. I’m a strong supporter of Mozilla’s move to disable known vulnerable plug-ins (with manual override possible), but not to hamstring the functionality of current versions.
That will teach me not to RTFM. After reading the wiki page for the feature, I see that the plan is to only enable this feature by default in cases of outdated or widely exploited plugins. In that context, it makes much more sense to have this feature available. In fact, we might be able to help with language for some of the warning messages that users get when they have outdated plugins.
[…] of site-specific permissions for Firefox’ opt-in plugins. I previously wrote about Firefox 14′s non-default support for opt-in (also known as click-to-play) plugins last […]
[…] https://msujaws.wordpress.com/2012/04/11/opting-in-to-plugins-in-firefox/ RedditBufferShareEmailPrintFacebookDiggStumbleUpon […]
[…] plugins will require an extra click to activate and start “playing” content. This mode improves the security of the browser and may be extended in the future to be activated by default in some cases. When on, site-specific […]
I was thinking that this feature meant to eliminate the need for the FlashBlock addon which help us save few CPU cycles by having a click-to-play option. Sadly, it is not true, and the click-to-play option loads all the applets on the page when clicking it, and not just the clicked element. Is there any chance to change this behavior in the future so we could have better integrated Flash blocking feature?
Yeah, we want to do this. It’s being tracked here if you are curious: https://bugzilla.mozilla.org/show_bug.cgi?id=742753
Thanks 🙂
[…] Wein of Mozilla blogged last month about a new feature he was developing for Firefox 14 called “click-to-play”. The idea is to block the default loading of plugins like Java and Flash when surfing to reduce the […]
[…] of Mozilla told us on his blog about a new feature he was developing for Firefox 14 called ‘click-to-play“. Much like the current add-on callec NoScript, click to play would allow you to block […]
[…] 来源:wordpress « Windows 8不再支持原生的DVD播发器,这样可以比Windows 7更便宜? […]
[…] autoplay in browserMet de optie wil Mozilla vooral een spaak in het wiel steken van malwareschrijvers, die kwetsbaarheden in deze […]