Firefox to load third-party plugins on user request in the future
The Firefox web browser supports plugins and browser extensions. The core difference is that plugins are loaded from external sources and often proprietary. They are currently enabled by default if Firefox notices them in one of the default plugin locations on the system.
This may be convenient as it means that sites that require these plugins for some or all of their functionality work right out of the box, but it is also a issue of control. Firefox users do not have a say initially whether a plugin will be activated in the browser or not. While it is certainly possible to disable identified plugins, it is something that happens after the plugin has been enabled in the browser. You can also enable click to play to prevent the automatic loading of plugins in the browser.
Mozilla introduced click to play some time ago, a feature that Firefox users need to enable before they can make use of it. Later, click to play was used to block insecure plugins automatically in the browser.
It is still up to the user to activate a blocked plugin, even though it is not recommended to do so as it makes the browser and underlying system vulnerable to exploits targeting those vulnerabilities.
Mozilla today announced the next step to put users in charge of plugins in the browser. Instead of making click to play a choice, it will be enabled for all plugins in the future except for the current version of Adobe's Flash plugin. Michael Cotes, Director of Security Assurance outlined the upcoming steps of the implementation.
- Click to play will be enabled for old versions of Flash (10.2.x and older) and then slowly for recent insecure versions of the plugin as well.
- Once the UI has been finalized, Mozilla will enable the feature for all current versions of plugins - except Flash - including Silverlight, Java and Acrobat Reader.
What this means is that plugins won't be enabled by default anymore in the browser with the exception of the current version of Adobe Flash. It is not clear why Flash is exempt from the process but the most likely explanation is that it is the most widely used plugin and that users would probably flood Mozilla with support requests if it would be included.
The benefit for Firefox users should be clear. Instead of having to monitor installed plugins regularly to disable those that are not needed, it is now done automatically so that plugins that are not used are not automatically available when websites request access to them.
Click to play gives users options to always run plugins on a site so that the click to play message does not appear every time a page is opened on that website. Mozilla furthermore plans to add options to enable plugins only for specific sites by default, e.g. Flash for Vimeo or Java for a bank's site that requires it.
The drawback is that users will see those messages in the browser frequently at first, for instance on YouTube. While it takes just two clicks or so to activate plugins permanently on a site, it needs to be done for all sites that require plugins to run.
Verdict
Keeping plugins disabled by default is a welcome change, considering that the majority of plugins installed in the browser are likely never used anyway. The effectiveness of the change depends largely on the notifications that users will receive when they need to make a decision whether to run a plugin or not.
Hi :)
Just one remark. «About:addons» give the access to the extensions.
For plugins like shockwave the local address is «about:plugins».
For a complete list of “about” just type «about:about» in the address window of Firefox.
:)
Claude,
No, Martin is right, «about:addons» ALSO lets you access the management page for you installed plugins, and is much more user-friendly than «about:plugins», let me add.
Many will know this, but maybe there’s someone who does not: NoScript does all this and more. Premium Add On.
Greetings
Ahh I was just going to add that. Though it may be worh noting as well that NoScript does not enable “click-to-play” protection by default. You have to enable it by
going to Options > Objects Tab > Select the Plugins you may want to enable Click-to-play” for. Aditionally the protection can be fine tuned by choosing whether to apply “click-to-play” for trusted sites or not, under the same preference tab.
Handy to disable un-required plugins. Better if I was able to delete them altogether. Even better if they weren’t installed at all without permission.
about:permissions is where you can manage all sorts of things on a per-site basis like plugin permissions, passwords, cookies, offline data, etc.
Never knew “about:permissions” thanks for the added info
Which version of Firefox is this feature going to land in?
Mozilla has not named a target version yet.