Mozilla has integrated click to play functionality into the Firefox web browser for some time now. The feature blocks plugins from being loaded automatically on websites. Videos on YouTube for instance are replaced with placeholders that inform you that a plugin needs to be loaded to watch the video (unless you are in the HTML5 Beta on the site). The plugin is only loaded when you click on that area on the screen.
Click to play has two core benefits: it first speeds up the loading of websites in the browser as plugin contents are skipped on the initial load, and it second improves security by not executing plugin contents automatically in the browser. A website exploiting new vulnerabilities can't exploit them automatically because of this. Attacks can however be executed if the user decides to load the plugin contents on the web page.
Mozilla decided to improve user security further by using blocklist information with click to play. The blocklist is a collection of add-ons and plugins that are know to be insecure or harmful. The new click-to-play blocklisted plugins feature takes the best of both features and mixes it together into something that's better than each individual feature.
Firefox is not the first browser to implement the feature. Chrome users may have noticed that their web browser is also blocking plugins automatically that are out of date. The browser furthermore displays options to update the plugin or to run it in a small notification bar at the top.
Instead of having to decide whether to disable a plugin completely to be safe on the web, or to run it but run the risk of being attacked on websites targeting the vulnerability, Firefox users can now use click to play to make an informed case by case decision. The video on YouTube may be safe to watch, but the Java applet on that shady looking site?
That in itself is mighty useful, but it does not stop here. Firefox is now displaying information about vulnerable plugins on the click to play frame on the page.
The information are displayed on the frame and also in an overlay on the screen when you click on the plugins icon that appears on these pages next to the web address. Here you get the option to activate some or all plugins, and to check for updates if a new version is available. The update check redirects to Mozilla's Plugin Check website from where new plugin versions can be downloaded and installed.
The feature is enabled by default in Firefox Beta, Aurora and Nightly. It is likely that it is coming to the stable version of Firefox soon. Firefox users can furthermore set the plugins.click_to_play preference to true to enable click to play for all plugins. If that is not done, the feature is only enabled for Silverlight, Adobe Reader and Adobe Flash on Windows.
The feature works well against attacks that target plugins, but only if you do not accidentally or willingly enable the plugin on a site that tries to exploit vulnerabilities in plugins.
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.