Mozilla: Java is insecure, default click to play for all plugins but Flash from Firefox 26 on

Martin Brinkmann
Sep 12, 2013

Mozilla made it clear back in January 2013 that it would change the way plugins are handled in the organization's Firefox web browser in a fundamental way. Up until that time, plugins were automatically loaded and enabled in the browser with the exception of plugins that landed on Mozilla's blocklist.

The blocklist contains plugins with known security vulnerabilities or stability issues that Firefox will not load by default anymore.

Firefox users had options back then to disable plugins permanently, but the majority of users were likely unaware of that option and the impact that plugins could have on the browser.

With Firefox 23 came a change that brought the browser's click to play feature to the front. Before that, you had to change a configuration value to enable it. Click to play was mainstream now and available for all plugins directly from within the add-ons manager.

With Firefox 24 come two major changes to the web browser that affect the click to play feature. Instead of giving users the option to enable individual plugin elements that are blocked by the feature on page load, click to play in Firefox 24 will whitelist that plugin temporarily on the page.

Let me give you an example. Say you visit YouTube and notice that click to play has blocked the video from playing, and also an ad in the right sidebar. Previously you were able to activate the video but keep the ad blocked. With Firefox 24, activating the video or the ad will load both items on the page.

There is however an add-on that you can install to get the old way of working with click to play on websites back in the browser (open the Firefox 24 link above and you are taken to the article that mentions it).

Upcoming changes

A recent Bugzilla entry mentions another change that will be implemented in Firefox 24 if things turn out right. Mozilla considers Java to be inherently insecure, and will default the plugin - even the latest version of it - to click to play for all of its users.

Firefox users can still override the default for individual sites, but won't be able to enable Java on a browser-wide basis anymore.

That's however not the end of it. With Firefox 26 comes another change that Mozilla announced at the beginning of 2013: all plugins, with the exception of the latest version of Adobe Flash, will default to click to play from that browser version on.

It will be possible to override the default to activate plugins at all times on all sites, or to disable plugins completely. Both options are available in the browser's addons manager.

Closing Words

Most experienced users may already have set plugins to click to play or disabled them completely. Inexperienced users on the other hand may not know about the feature or dangers of plugins, and it is for them that Mozilla implements those changes.

Most users will benefit from this, not only because security is improved in the browser, but also through faster page loading times due to plugin contents not being loaded on page load.

Firefox users who need to work with a particular plugin can still enable it browser-wide - with the exception of Java - so that they can use it without having to click on plugin elements on each page they visit. (via Sören)

Now read: How to make Firefox the Fort Knox of browsers.


Tutorials & Tips

Previous Post: «
Next Post: «


  1. YB said on September 13, 2013 at 1:35 pm

    Java is only as insecure as the person sitting in front of the monitor. I have had Java installed on my computer and have yet to find myself infected from any site.

    Most malware is written to take advantage of social engineering (i.e., phishing) so it really relies on the user to actually click on a link or open an email. If you are dumb enough to click that email attachment or video link showing Assad poisoning Syrian rebel, then you deserve to be infected.

    1. David said on September 18, 2013 at 12:12 am

      haha, well said..

  2. Dario said on September 13, 2013 at 10:01 am

    I must say that is a pretty primitive solution Mozilla. This solution was used by other browsers (IE) a while ago and didn’t turn out very well so they removed it again. If Mozilla want’s to make browsing more secure, why not have all plugins run in a sandbox? No need to auto disable them and the plugins cannot do any harm to your system either. Sigh…Way to ruin a perfectly good browser…Looks like Firefox is moving from a developer’s browser to a noob browser. If we want that we can just use Chrome or IE.

    1. Neal said on September 14, 2013 at 3:38 am

      I think you need to look into what sandboxing actually entails. The sandbox is more about protecting the core program from being exploited, not third party plugins that have elevated privileges above the sandbox.

      Flash isn’t sandboxed in any desktop version of IE, except in the Metro version IE 10, 11 and that is only possible b/c Adobe handed over the Flash code so Microsoft could include a MS version of flash. If you run Java plugins or any third plugin not originally included in the browser, they aren’t sandboxed whether you use Chrome or IE.

      Flash is sandboxed in Chrome b/c that’s Google’s version of flash. With exception to Chrome flash and the other Google plugins, every other third party plugin such as Java or Unity you must click to play in Chrome by default. Chrome implemented this years ago exactly for the same reason Mozilla is doing that now.

      There was a experimental tag in Chrome a long time ago that tried to sandboxed all plugins but most plugins just crashed or just refused to run. Now I can’t even find any mention of that specific tag in recent Google search results, so that project went nowhere.

  3. uluwatu said on September 12, 2013 at 3:33 pm

    So how will the plug-ins required by the programming masterpiece Battlefield 3 work? I don’t want the enabled all the time so I enable them manually. Temporary may not be enough for the perfectly optimized and well thought out game to work normally.

    1. Caspy7 said on September 12, 2013 at 11:07 pm

      I believe you are able to “remember my preference” on a site by site basis.

  4. ilev said on September 12, 2013 at 10:56 am

    Adobe Flash is as insecure as Java. Wonder why it got the seal of approval and being blocked by default.

    1. Neal said on September 12, 2013 at 10:16 pm

      No it isn’t.

      ” Chaouki Bekrar said that compromising Flash has become much more difficult in recent years, thanks to the advances Adobe has made in protecting the plug-in.

      “Flash is a different thing and it’s getting updated all the time and Adobe did a very good job securing it,” Bekrar said. “It’s more expensive to create a Flash exploit than a Java one. Every time Adobe updates Flash, they’re killing bugs and techniques and sandbox bypasses, and honestly, Adobe is doing a great job making it more secure.”

      – French security firm VUPEN

      Then you have to consider Java having one of the most inconvenient update mechanism which leads to most people ignoring it. In contrast, Flash introduced silent autoupdate mechanism 2 years ago, that keeps everyone up to date without them even knowing usually within 24 hours a patch is released.

      I still have Flash on click to play b/c it is still resource hog especially when you compare it to using HTML 5 player especially in youtube and I hate how it autoplays videos, but I am reasonably confident that it is secure.

    2. Solidstate89 said on September 12, 2013 at 1:03 pm

      It really isn’t. Not since they introduced the same sandbox they used on Adobe Reader. It’s still not a bastion of security, but it’s a damn sight more secure than Java.

    3. Martin Brinkmann said on September 12, 2013 at 11:04 am

      Flash is exempt – likely – because it is more widely used than Java.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.