How to limit Java exposure in Firefox

Martin Brinkmann
Feb 11, 2013
Updated • Jan 6, 2014

Several Java vulnerabilities have been discovered in rapid succession in the past months. Every time Oracle put out a fix,new vulnerabilities were discovered in those recent versions almost immediately which in turn made any system those versions were freely installed on vulnerable to attacks.

Companies like Mozilla have started to blacklist old Java versions to protect users from those attacks, and while that worked considerable well, one could not really rely only on that to stay safe.

So what is it that you can do to protect your systems from Java-based attacks? The first answer that comes to mind for obvious reason is to uninstall Java. While that may work for some users who do not need Java at all, it may not work for others. If your online banking website requires Java, you can't just uninstall Java as you would not be able to use the banking site anymore.

There must be another solution and there is. Actually, there is more than one solution and I'm going to look at all of them in this guide to help you limit Java to websites you need to run it on.

1. Run NoScript

NoScript is my only must-have Firefox add-on that I run all the time. It blocks all scripts from running on all websites by default, so that Java, JavaScript or Flash contents are not executed automatically when you visit a website.

It supports temporary and permanent whitelisting of domains to allow scripts to run on select domains. The idea here would be to enable scripts on the sites you need to run Java on, and keep the default setup for all other sites so that it won't be executed on those sites when you open them in the browser.

While this requires some work on your part to configure all sites you need to run Java on, and sites that you need to run other plugins on, it is highly beneficial in the end as it protects the browser and computer from many attack forms that execute automatically when you connect to websites and services.

noscript blocking java screenshot

To enable a script on a site you can either click on it directly, which will enable it temporarily, or click on the NoScript icon in the browser's interface to enable it permanently or temporarily.

2. Click to Play

Update: In recent versions of Firefox, you may not need to go enable click to play anymore, as it is enabled for all plug-ins automatically except Flash or plug-ins that you have configured to run automatically. You may still want to check the add-ons manager of the browser and there plug-ins to make sure that everything is set to "ask to activate".

If you do not run NoScript, you still have a couple of options to deal with Java and other plugins that you need but are potentially dangerous to run. Mozilla some time ago introduced click to play, a feature that blocks the execution of scripts until you click on the element in the browser window.

It is disabled by default and the only option to enable it is in the advanced browser configuration. What's interesting in this regard is that it is actually activated automatically if you run a version of Java that is vulnerable or outdated. Mozilla plans to expand this in the near future.

To activate click to play do the following:

  • Type about:config into the browser's address bar.
  • Confirm that you will be careful if you do that for the first time.
  • Type in plugins.click_to_play to the search field and press enter.
  • Double-click on the parameter to set it to true.

click to play screenshot

Once done you will notice that plugin contents are not loaded automatically anymore. Instead, you will get an "activate Java" or other plugin name on the page that you need to click on to activate. The core benefit here is the same as provided by the NoScript extension: no plugin runs on a site unless you actively allow it to do so.

There are a couple of things you can do to improve your experience. For sites you trust, your bank's website for instance, you may want to enable plugins all the time so that you do not have to enable them actively whenever you visit it.

A click on the small icon next to the site's address provides you with a menu to do so.

enable click to play screenshot

When you click on the icon, you are presented with options to activate one plugin, or all of them. What you can do as well is select the always activate plugins for this site option to whitelist it so that plugins run on it automatically.


Tutorials & Tips

Previous Post: «
Next Post: «


  1. Jacko said on February 13, 2013 at 4:08 pm

    Prefbar (, one of my favourite Firefox add-ons, has a built-in button to enable and disable Java. I don’t include it in my customised Prefbar but it’s there for anyone who may need to enable/disable Java on a regular basis.

  2. Jacko said on February 11, 2013 at 11:41 pm

    Or just disable Java in your plug-ins. I can’t even remember the last time that I accessed a web page where I had to enable Java.

    1. Martin Brinkmann said on February 11, 2013 at 11:48 pm

      I have uninstalled Java on my systems, and only install it when I need to test something. Others may use applications or web services that require Java which does not make this an option, unless you will enable and disable the plugin manually every time you need it.

  3. Midnight said on February 11, 2013 at 10:05 pm

    Re: plugins.click_to_play…Already set to True in Firefox Nightly 64bit!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.