Mozilla: Java is insecure, default click to play for all plugins but Flash from Firefox 26 on
Mozilla made it clear back in January 2013 that it would change the way plugins are handled in the organization's Firefox web browser in a fundamental way. Up until that time, plugins were automatically loaded and enabled in the browser with the exception of plugins that landed on Mozilla's blocklist.
The blocklist contains plugins with known security vulnerabilities or stability issues that Firefox will not load by default anymore.
Firefox users had options back then to disable plugins permanently, but the majority of users were likely unaware of that option and the impact that plugins could have on the browser.
With Firefox 23 came a change that brought the browser's click to play feature to the front. Before that, you had to change a configuration value to enable it. Click to play was mainstream now and available for all plugins directly from within the add-ons manager.
With Firefox 24 come two major changes to the web browser that affect the click to play feature. Instead of giving users the option to enable individual plugin elements that are blocked by the feature on page load, click to play in Firefox 24 will whitelist that plugin temporarily on the page.
Let me give you an example. Say you visit YouTube and notice that click to play has blocked the video from playing, and also an ad in the right sidebar. Previously you were able to activate the video but keep the ad blocked. With Firefox 24, activating the video or the ad will load both items on the page.
There is however an add-on that you can install to get the old way of working with click to play on websites back in the browser (open the Firefox 24 link above and you are taken to the article that mentions it).
A recent Bugzilla entry mentions another change that will be implemented in Firefox 24 if things turn out right. Mozilla considers Java to be inherently insecure, and will default the plugin - even the latest version of it - to click to play for all of its users.
Firefox users can still override the default for individual sites, but won't be able to enable Java on a browser-wide basis anymore.
That's however not the end of it. With Firefox 26 comes another change that Mozilla announced at the beginning of 2013: all plugins, with the exception of the latest version of Adobe Flash, will default to click to play from that browser version on.
It will be possible to override the default to activate plugins at all times on all sites, or to disable plugins completely. Both options are available in the browser's addons manager.
Most experienced users may already have set plugins to click to play or disabled them completely. Inexperienced users on the other hand may not know about the feature or dangers of plugins, and it is for them that Mozilla implements those changes.
Most users will benefit from this, not only because security is improved in the browser, but also through faster page loading times due to plugin contents not being loaded on page load.
Firefox users who need to work with a particular plugin can still enable it browser-wide - with the exception of Java - so that they can use it without having to click on plugin elements on each page they visit. (via SÃ¶ren)