Firefox to load third-party plugins on user request in the future - gHacks Tech News

Firefox to load third-party plugins on user request in the future

The Firefox web browser supports plugins and browser extensions. The core difference is that plugins are loaded from external sources and often proprietary. They are currently enabled by default if Firefox notices them in one of the default plugin locations on the system.

This may be convenient as it means that sites that require these plugins for some or all of their functionality work right out of the box, but it is also a issue of control. Firefox users do not have a say initially whether a plugin will be activated in the browser or not. While it is certainly possible to disable identified plugins, it is something that happens after the plugin has been enabled in the browser. You can also enable click to play to prevent the automatic loading of plugins in the browser.

If you want to check the current list of installed and enabled plugins in your version of Firefox, load about:addons and switch to the plugins listing there. If you have never been there, you may be surprised about the number of plugins listed there.

Mozilla introduced click to play some time ago, a feature that Firefox users need to enable before they can make use of it. Later, click to play was used to block insecure plugins automatically in the browser.

firefox click to play blocklist screenshot

It is still up to the user to activate a blocked plugin, even though it is not recommended to do so as it makes the browser and underlying system vulnerable to exploits targeting those vulnerabilities.

Mozilla today announced the next step to put users in charge of plugins in the browser. Instead of making click to play a choice, it will be enabled for all plugins in the future except for the current version of Adobe's Flash plugin. Michael Cotes, Director of Security Assurance outlined the upcoming steps of the implementation.

  • Click to play will be enabled for old versions of Flash (10.2.x and older) and then slowly for recent insecure versions of the plugin as well.
  • Once the UI has been finalized, Mozilla will enable the feature for all current versions of plugins - except Flash - including Silverlight, Java and Acrobat Reader.

What this means is that plugins won't be enabled by default anymore in the browser with the exception of the current version of Adobe Flash. It is not clear why Flash is exempt from the process but the most likely explanation is that it is the most widely used plugin and that users would probably flood Mozilla with support requests if it would be included.

The benefit for Firefox users should be clear. Instead of having to monitor installed plugins regularly to disable those that are not needed, it is now done automatically so that plugins that are not used are not automatically available when websites request access to them.

Click to play gives users options to always run plugins on a site so that the click to play message does not appear every time a page is opened on that website. Mozilla furthermore plans to add options to enable plugins only for specific sites by default, e.g. Flash for Vimeo or Java for a bank's site that requires it.

The drawback is that users will see those messages in the browser frequently at first, for instance on YouTube. While it takes just two clicks or so to activate plugins permanently on a site, it needs to be done for all sites that require plugins to run.

Verdict

Keeping plugins disabled by default is a welcome change, considering that the majority of plugins installed in the browser are likely never used anyway. The effectiveness of the change depends largely on the notifications that users will receive when they need to make a decision whether to run a plugin or not.

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. Claude LaFrenière said on January 30, 2013 at 3:06 am
    Reply

    Hi :)

    Just one remark. «About:addons» give the access to the extensions.
    For plugins like shockwave the local address is «about:plugins».
    For a complete list of “about” just type «about:about» in the address window of Firefox.

    :)

    1. Pablo said on January 30, 2013 at 7:41 am
      Reply

      Claude,
      No, Martin is right, «about:addons» ALSO lets you access the management page for you installed plugins, and is much more user-friendly than «about:plugins», let me add.

  2. Seban said on January 30, 2013 at 4:07 am
    Reply

    Many will know this, but maybe there’s someone who does not: NoScript does all this and more. Premium Add On.

    Greetings

    1. Marc said on January 30, 2013 at 6:30 am
      Reply

      Ahh I was just going to add that. Though it may be worh noting as well that NoScript does not enable “click-to-play” protection by default. You have to enable it by
      going to Options > Objects Tab > Select the Plugins you may want to enable Click-to-play” for. Aditionally the protection can be fine tuned by choosing whether to apply “click-to-play” for trusted sites or not, under the same preference tab.

  3. Wayfarer said on January 30, 2013 at 4:56 am
    Reply

    Handy to disable un-required plugins. Better if I was able to delete them altogether. Even better if they weren’t installed at all without permission.

  4. Ken Saunders said on January 30, 2013 at 3:41 pm
    Reply

    about:permissions is where you can manage all sorts of things on a per-site basis like plugin permissions, passwords, cookies, offline data, etc.

    1. BalaC said on January 31, 2013 at 9:51 am
      Reply

      Never knew “about:permissions” thanks for the added info

  5. AC said on January 31, 2013 at 10:18 pm
    Reply

    Which version of Firefox is this feature going to land in?

    1. Martin Brinkmann said on January 31, 2013 at 10:47 pm
      Reply

      Mozilla has not named a target version yet.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.