Mozilla Firefox: Click to play using blocklist for improved security - gHacks Tech News

Mozilla Firefox: Click to play using blocklist for improved security

Mozilla has integrated click to play functionality into the Firefox web browser for some time now. The feature blocks plugins from being loaded automatically on websites. Videos on YouTube for instance are replaced with placeholders that inform you that a plugin needs to be loaded to watch the video (unless you are in the HTML5 Beta on the site). The plugin is only loaded when you click on that area on the screen.

Click to play has two core benefits: it first speeds up the loading of websites in the browser as plugin contents are skipped on the initial load, and it second improves security by not executing plugin contents automatically in the browser. A website exploiting new vulnerabilities can't exploit them automatically because of this. Attacks can however be executed if the user decides to load the plugin contents on the web page.

Mozilla decided to improve user security further by using blocklist information with click to play. The blocklist is a collection of add-ons and plugins that are know to be insecure or harmful. The new click-to-play blocklisted plugins feature takes the best of both features and mixes it together into something that's better than each individual feature.

Firefox is not the first browser to implement the feature. Chrome users may have noticed that their web browser is also blocking plugins automatically that are out of date. The browser furthermore displays options to update the plugin or to run it in a small notification bar at the top.

Instead of having to decide whether to disable a plugin completely to be safe on the web, or to run it but run the risk of being attacked on websites targeting the vulnerability, Firefox users can now use click to play to make an informed case by case decision. The video on YouTube may be safe to watch, but the Java applet on that shady looking site?

That in itself is mighty useful, but it does not stop here. Firefox is now displaying information about vulnerable plugins on the click to play frame on the page.

firefox click to play blocklist

The information are displayed on the frame and also in an overlay on the screen when you click on the plugins icon that appears on these pages next to the web address. Here you get the option to activate some or all plugins, and to check for updates if a new version is available. The update check redirects to Mozilla's Plugin Check website from where new plugin versions can be downloaded and installed.

The feature is enabled by default in Firefox Beta, Aurora and Nightly. It is likely that it is coming to the stable version of Firefox soon. Firefox users can furthermore set the plugins.click_to_play preference to true to enable click to play for all plugins. If that is not done, the feature is only enabled for Silverlight, Adobe Reader and Adobe Flash on Windows.

The feature works well against attacks that target plugins, but only if you do not accidentally or willingly enable the plugin on a site that tries to exploit vulnerabilities in plugins.

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. Pappu Iyer said on October 12, 2012 at 7:37 pm
    Reply

    No via TechDows link this time? He he he

    1. Martin Brinkmann said on October 12, 2012 at 8:18 pm
      Reply

      I’m subscribed to the Mozilla Security blog, so no, not my source.

      1. Pappu Iyer said on October 14, 2012 at 3:44 am
        Reply

        you need to subscribe to more blogs then

      2. Martin Brinkmann said on October 14, 2012 at 8:59 am
        Reply

        I know :)

  2. BillO said on October 12, 2012 at 7:38 pm
    Reply

    Does this mean that the FlashBlock add-on is no longer required?

    1. B. Moore said on October 12, 2012 at 9:27 pm
      Reply

      If what I read before is correct and it works like Chrome its blocks all flash or nothing.

      Your still going to use the awesome FlashBlock add-on if you want click to play on individual flash objects.

      For example you visit a video site that uses flash for ads & videos and you just want the video to play in flash but not the stupid flash ads.
      You will NEED to use FlashBlock add-on.

      1. Martin Brinkmann said on October 12, 2012 at 9:45 pm
        Reply

        Edit: If you click on the actual element, it only loads that element. If you enable it via the icon in the address bar, it enables all.

      2. Matto said on October 13, 2012 at 12:36 am
        Reply

        That isn’t true on both counts.

        Chromes version of Click to Play works on individual flash elements and so does Firefox.

      3. B. Moore said on October 13, 2012 at 6:54 am
        Reply

        good news then!

        what about a whitelist?

  3. DaveO said on July 30, 2015 at 9:12 pm
    Reply

    Can click to play be used to block constant refreshes on Websites like Drudgereport? This is such a nuisance! I’ve explored this so many different times. My version of Mozilla does not have xpinstall.enabled in the config. I cannot add a new default command to C:\Program Files (x86). I don’t understand why Mozilla did not provide an option to restrict browser referesh. Thanks, Daveo

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.