Mozilla to start blocking plugins by default in Firefox

Martin Brinkmann
Mar 2, 2014
Updated • Mar 3, 2014

Mozilla planned to enable the click to play feature in Firefox 26 for all users when the browser was released back in 2013.

Click to play blocks the execution of plugins automatically so that websites cannot load contents that make use of browser plugins.

Users have then the option to keep the block in place, enable the plugin on the website for the time being,or enable it permanently on the site in question.

Shortly before Firefox 26 hit the stable channel, Mozilla decided to limit click to play to the Java plugin in the release.

What this meant was that Java was the only plugin that was set to "ask to activate" in the browser's plugin manager, instead of all plugins except for Adobe Flash.

Mozilla published an update in regards to that two days ago on the Mozilla Security blog. Chad Weiner, Mozilla's director of product management, announced on the organization's behalf that Firefox would start to block plugins by default very soon.

The wording used confused me at first, but once I realized that blocking meant the same as click to play, it all became clearer.


Here is what is going to happen. Mozilla made the decision to block all plugins in one of the next versions of Firefox. Blocking in this regard means setting to click to play, not block entirely so that users of the browser cannot load contents anymore that require these plugins.

Plugin authors can apply for inclusion in a whitelist. The application deadline is March 31, 2014, and any application received before the deadline will be reviewed by Mozilla.

If the inclusion in the whitelist is granted, the plugin in question will be given whitelist status which effectively means that it is exempt for a 30 weeks grace period. Plugin authors can then apply for a second round, and if granted again, their plugins are except for another 24 weeks.

What's interesting in this regard is that the whitelist application needs to include a "credible plan" to migrate away from the use of NPAPI-based plugins.

Here is the important part if you are a Firefox user:

  • Plugins will be set to click to play in one of the coming releases.
  • Only plugins that are added to the whitelist are exempt from this.
  • You can still run any plugin in Firefox.

You can enable click to play right now in your browser, as outlined in the following guide. There are two steps to enable click to play in Firefox right now:

  1. Type about:config in the browser's address bar and hit enter.
  2. Confirm you will be careful.
  3. Search for the preference plugins.click_to_play
  4. Make sure it is set to true. If not, double-click on it.
  5. Open about:addons and switch to plugins here.
  6. Click on the menu next to a plugin listing and switch the value to "ask to activate". This enables click to play for the plugin.

Tip 1: For a better manageability of your click to play whitelist, use the Firefox add-on Click To Play Manager.

Tip 2: For options to enable only select elements on a page and not all, use click to play per element.

What are Mozilla's reasons for doing so?

The organization notes that plugins are one of the core reasons for poor performance, stability issues and security vulnerabilities. Setting plugins to click to play resolves many of those issues, especially on sites where it may not be apparent to the user of the browser that plugin contents are being loaded.

Click to play protects Firefox users from dangers on the Internet, without removing any functionality the browser provides. That's different from how Google decided to handle things, as the company announced that it would block the use of all NPAPI plugins in the Chrome browser this year.

Now Read: use NoScript to improve Firefox's security


Tutorials & Tips

Previous Post: «
Next Post: «


  1. Tired of BOSSY Software said on April 27, 2014 at 6:30 am

    Mozilla is pretty darned heavyhanded in disabling plugins like Flash, despite users complaining… Let the end-user decide whether it is their choice to “RISK” using a potentially insecure plugin. Some people will NOT upgrade to newer versions of programs like Flash Player precisely because it is the VENDOR of the program who violates their privacy and annoys with relentless “updates.” Instead of letting US decide, mozilla plays like “GOD” and disables the function and either warns us to upgrade or simply says “NO FLASH PLUGIN FOUND!,” trying to strong-arm us into upgrading. Forget it.

  2. Dante said on March 3, 2014 at 3:40 pm

    So how does click to play work on NoScript? Especially if one forgets to click.

    1. Martin Brinkmann said on March 3, 2014 at 3:55 pm

      Works fine. NoScript does not load scripts on non-whitelisted sites by default, and click to play has the same effect.

  3. ilev said on March 3, 2014 at 6:25 am

    Great move by Firefox (click-to-play is on by default in my Chrome). Flash and Java are the biggest security risk and one of the reasons why windows 8 failed in 2013 by being the least unsecure Windows version and XP the most secure.

    1. ilev said on March 3, 2014 at 6:53 am
      Reply being the most un-secure Windows version :-)

  4. michaelpaul said on March 3, 2014 at 1:32 am

    AHHHHH THANK YOU CHROME,Dumped Firefox a month ago .Enough with the nonsense ,Had been using FF for 6 years ,Thought id give chrome a try

  5. Jaroslav Matura said on March 2, 2014 at 11:42 pm

    The vanilla clickToPlay is still unusable. It was only good right after its initial launch in Firefox 22 (… I think) when it offered to Run once, Run always, and Never run the plugin, and the granted permission wasn’t page-wide. When they made the redesign we know today, it became confusing, user-nonfriendly, and practically worthless. The add-on Click to Play per Element does not help much.

    I really wish the mozdevs would stop shitting on their own product.

    1. Anonymous said on March 17, 2014 at 10:36 pm

      I’ll echo the sentiment in that last sentence. Considering the changes across firefox versions 20-27, it has seemed (to me) as though there’s a “plant” (or several) among the devs — pursuing a goal of sabotaging firefox and driving it into oblivion.

      Since Summer 2013, I’ve noticed increasingly few noteworthy addons appearing each month. Of the few still-marked-compatible addons among my 60 or so personal faves, the authors have ceased to maintain them. Statistics and damned lies (quoting Samuel Clemens, I think) month-by-month, the stats have continually indicated decreasing ff market share. As a result, I believe the trend of diminished interest among addon developers is nearly irreversible.

      Above, I wrote “still-marked-compatible”. This underscores an important point. Although many addons _ARE_ in fact still functionally compatible, their authors don’t even care to simply revise the “compatible versions” declaration and re-release the xpi. To me this suggests a collective disdain or outright contempt toward the status quo mozilla ecosphere.

      FWIW, I think the “Flashblock” addon
      still provides click-to-play functionality on a per-instance basis

    2. Pants said on March 3, 2014 at 2:14 am

      “The add-on Click to Play per Element does not help much.”


  6. Neal said on March 2, 2014 at 11:27 pm

    Are they really going to try to block flash by default? I dislike Flash like the next guy, but this will literally destroy any declining desktop shares they still have.

    Don’t give people a reason to switch to another browser. I hope they aren’t going to be that stupid, but recent history is discouraging.

    1. Martin Brinkmann said on March 3, 2014 at 8:28 am

      Neal, that depends on the whitelist. Maybe they make an exception for Flash even if Adobe does not apply, I do not know. Update: Just received word that Flash will be whitelisted. I’d still make it ask to activate though.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.