The Firefox web browser supports plugins and browser extensions. The core difference is that plugins are loaded from external sources and often proprietary. They are currently enabled by default if Firefox notices them in one of the default plugin locations on the system.
This may be convenient as it means that sites that require these plugins for some or all of their functionality work right out of the box, but it is also a issue of control. Firefox users do not have a say initially whether a plugin will be activated in the browser or not. While it is certainly possible to disable identified plugins, it is something that happens after the plugin has been enabled in the browser. You can also enable click to play to prevent the automatic loading of plugins in the browser.
Mozilla introduced click to play some time ago, a feature that Firefox users need to enable before they can make use of it. Later, click to play was used to block insecure plugins automatically in the browser.
It is still up to the user to activate a blocked plugin, even though it is not recommended to do so as it makes the browser and underlying system vulnerable to exploits targeting those vulnerabilities.
Mozilla today announced the next step to put users in charge of plugins in the browser. Instead of making click to play a choice, it will be enabled for all plugins in the future except for the current version of Adobe's Flash plugin. Michael Cotes, Director of Security Assurance outlined the upcoming steps of the implementation.
- Click to play will be enabled for old versions of Flash (10.2.x and older) and then slowly for recent insecure versions of the plugin as well.
- Once the UI has been finalized, Mozilla will enable the feature for all current versions of plugins - except Flash - including Silverlight, Java and Acrobat Reader.
What this means is that plugins won't be enabled by default anymore in the browser with the exception of the current version of Adobe Flash. It is not clear why Flash is exempt from the process but the most likely explanation is that it is the most widely used plugin and that users would probably flood Mozilla with support requests if it would be included.
The benefit for Firefox users should be clear. Instead of having to monitor installed plugins regularly to disable those that are not needed, it is now done automatically so that plugins that are not used are not automatically available when websites request access to them.
Click to play gives users options to always run plugins on a site so that the click to play message does not appear every time a page is opened on that website. Mozilla furthermore plans to add options to enable plugins only for specific sites by default, e.g. Flash for Vimeo or Java for a bank's site that requires it.
The drawback is that users will see those messages in the browser frequently at first, for instance on YouTube. While it takes just two clicks or so to activate plugins permanently on a site, it needs to be done for all sites that require plugins to run.
Keeping plugins disabled by default is a welcome change, considering that the majority of plugins installed in the browser are likely never used anyway. The effectiveness of the change depends largely on the notifications that users will receive when they need to make a decision whether to run a plugin or not.