Mozilla Firefox: Click to play using blocklist for improved security
Mozilla has integrated click to play functionality into the Firefox web browser for some time now. The feature blocks plugins from being loaded automatically on websites. Videos on YouTube for instance are replaced with placeholders that inform you that a plugin needs to be loaded to watch the video (unless you are in the HTML5 Beta on the site). The plugin is only loaded when you click on that area on the screen.
Click to play has two core benefits: it first speeds up the loading of websites in the browser as plugin contents are skipped on the initial load, and it second improves security by not executing plugin contents automatically in the browser. A website exploiting new vulnerabilities can't exploit them automatically because of this. Attacks can however be executed if the user decides to load the plugin contents on the web page.
Mozilla decided to improve user security further by using blocklist information with click to play. The blocklist is a collection of add-ons and plugins that are know to be insecure or harmful. The new click-to-play blocklisted plugins feature takes the best of both features and mixes it together into something that's better than each individual feature.
Firefox is not the first browser to implement the feature. Chrome users may have noticed that their web browser is also blocking plugins automatically that are out of date. The browser furthermore displays options to update the plugin or to run it in a small notification bar at the top.
Instead of having to decide whether to disable a plugin completely to be safe on the web, or to run it but run the risk of being attacked on websites targeting the vulnerability, Firefox users can now use click to play to make an informed case by case decision. The video on YouTube may be safe to watch, but the Java applet on that shady looking site?
That in itself is mighty useful, but it does not stop here. Firefox is now displaying information about vulnerable plugins on the click to play frame on the page.
The information are displayed on the frame and also in an overlay on the screen when you click on the plugins icon that appears on these pages next to the web address. Here you get the option to activate some or all plugins, and to check for updates if a new version is available. The update check redirects to Mozilla's Plugin Check website from where new plugin versions can be downloaded and installed.
The feature is enabled by default in Firefox Beta, Aurora and Nightly. It is likely that it is coming to the stable version of Firefox soon. Firefox users can furthermore set the plugins.click_to_play preference to true to enable click to play for all plugins. If that is not done, the feature is only enabled for Silverlight, Adobe Reader and Adobe Flash on Windows.
The feature works well against attacks that target plugins, but only if you do not accidentally or willingly enable the plugin on a site that tries to exploit vulnerabilities in plugins.
Advertisement
Can click to play be used to block constant refreshes on Websites like Drudgereport? This is such a nuisance! I’ve explored this so many different times. My version of Mozilla does not have xpinstall.enabled in the config. I cannot add a new default command to C:\Program Files (x86). I don’t understand why Mozilla did not provide an option to restrict browser referesh. Thanks, Daveo
Does this mean that the FlashBlock add-on is no longer required?
If what I read before is correct and it works like Chrome its blocks all flash or nothing.
Your still going to use the awesome FlashBlock add-on if you want click to play on individual flash objects.
For example you visit a video site that uses flash for ads & videos and you just want the video to play in flash but not the stupid flash ads.
You will NEED to use FlashBlock add-on.
good news then!
what about a whitelist?
That isn’t true on both counts.
Chromes version of Click to Play works on individual flash elements and so does Firefox.
Edit: If you click on the actual element, it only loads that element. If you enable it via the icon in the address bar, it enables all.
No via TechDows link this time? He he he
I’m subscribed to the Mozilla Security blog, so no, not my source.
you need to subscribe to more blogs then
I know :)