Nearly all Firefox plugins to be blocked by default, including Silverlight

There's been a lot of concerns lately over the safety of browsing websites that support third party plugin software. That's been especially true of the Java software, which has been discovered to have a number of security holes.

This week, Mozilla announced a change in its previous plugin software setup for its Firefox web browser. In a post on its blog, Michael Coates, Mozilla's director of security assurance, stated:

Previously Firefox would automatically load any plugin requested by a website. Leveraging Click to Play Firefox will only load plugins when a user takes the action of clicking to make a particular plugin play or the user has previously configured Click To Play to always run plugins on the particular website.

Click To Play is a list of plugins that Firefox blocks from running on the browser. Under the new system, Firefox will soon block all plugins from automatically running, with the exception of the current version of Flash. Coates cited both performance and security issues as the reasons for this new system.

Once the final implementation of this new system is put in place, Firefox will automatically block the running of plugins such as Java, Acrobat Reader and Microsoft's Silverlight plugin, even if they are updated to current versions by their respective companies.

Source: Mozilla | Image via Mozilla

Report a problem with article
Previous Story

Google offers a reprive; Exchange ActiveSync support for Windows Phone to end July 31st

Next Story

New Windows 8/RT device Gmail access via Exchange ActiveSync ending today

45 Comments

Commenting is disabled on this article.

Good news! Click to play is essential to web security for you as a user to be in control of those plugins. Opera already have this functionality and I hope more will follow.

For the problems is also that all browsers just pick up what ever browser plugins it finds on you computer even if you did not tell it to or you are aware of it because of newly installed application for instance.

So instead of the user constantly enabling/disabling plugins when in need and always keep an eye on to avoid new plugins you can make sure the page you are visiting will not use plugins until you allow it.

This will also create an awareness about the problems with plugins and hopefully a faster to transition to HTML5 if possible.

I don't understand. I used to love firefox. don't know why keep hurting themselves. Firefox mobile OS? really? comon mozilla open your eyes you are keep loosing your users.

S3P€hR said,
I don't understand. I used to love firefox. don't know why keep hurting themselves. Firefox mobile OS? really? comon mozilla open your eyes you are keep loosing your users.

I think you are the one that needs to open your eyes, with this move it's helping the users not hurting them. and stop worrying about the Firefox mobile OS.

I refuse to install Firefox on Windows 8 because it *** really bad on Windows 8. Google Chrome works like a treat.

Like others have said, they should attempt to make a sandbox for firefox. Other browsers have done it, why can't they? plugins of course are another story. I'll stick to palemoon thank you.

Currently flash is the only plugin that I find useful, all the other are just unnecessary security breaches. It's rare that I ever see an interesting Java applet on the web.

Yeah, java based web applets are rare these days. I come across engineering "calculator" type java apps all the time (to make some calculation easier). There also seems to always be some Windows or Mac app that I'm running that requires the Java runtime to be installed. I just can't get away from it. Every time I uninstall I find myself reinstalling after a few weeks when I hit something that requires it.

BlendedFrog said,
I take it this means that adblock won't run unless you enable it for each and every website?

No, it's an addon.

BlendedFrog said,
I am confused...what's the difference between an addon and a plugin according to mozilla?

well plugins have external dll, executables etc ... while add-ons rely on features already on browser (css, js, ...). Anyways firefox makes a clear distinction for plugins, there's a separate "tab".

Addon is most often a script that appends/makes changes to UI elements and how they behave.
Plugin is a compiled binary that can access to and do everything it wants.

About time they added some useful functionality based on what addons people most frequently use. More like this, because their own innovations scuk.

Good move. It would be nice if they would do this for Flash, even the current version, but too many sites use Flash in the background (for things like audio - rdio, I'm looking at you) which makes it difficult to... you know, click.

Now that Flash is dead on mobile, the only use for it is cross platform compatibility on Windows, OS X and (kind of) Linux, all on desktops. Plugins are going the way of the dodo, and apps are taking their place.

Apps are generally catered to the operating system they run on, though, even if only in a small way (like using the menu bar in OS X). They're also a more explicit agreement between you and the app maker: if you run an app, you probably trust it more than you do any old web site.

But, yeah, apps built on plugins are still apps. It's more of a colloquialism for "native application" these days.

Jason Stillion said,
One can argue app and plugin are the same thing.

No. Not really. A plugin extends the media support of a browser. For instance it extends support to run Java or Flash based code. An "app" (at least in this context) is generally considered a platform dependent client that utilizes data from the web.

Hollow.Droid said,
READ THE ARTICLE!! You can enable run once/run always for particular sites.
Yep, the neowin summary didn't indicate this from a quick glance. Still how many Joe Schmo's would know how to do that? They'd probably just use Firefox w/ out of the box settings.

tsupersonic said,
Yep, the neowin summary didn't indicate this from a quick glance. Still how many Joe Schmo's would know how to do that? They'd probably just use Firefox w/ out of the box settings.

If their impl is anything like chrome's then it won't exactly be difficult.

Hollow.Droid said,
READ THE ARTICLE!! You can enable run once/run always for particular sites.

Lol, sensationalism injected in the title (they are not "blocking" the plugins, they just are not automatically loading plugin content w/o user interaction which is a GOOD THING). Couple the title with the fact that folks here just like to talk and not listen...

I don't need a company to dumb down my application because of idiots who don't know how to use them properly.

Looks like it's time to find a new browser.

I think comprehension mistake overall, they only want to block outdated plugins not current ones, they are not enforcing click to play experience for everyone.
Also Click to play is not functional perfectly even in current Nighty, as per their platform meetings notes, they will disable all Flash version prior to 11.2 using CTP in FF22 nothing else.

Zlip792 said,
I think comprehension mistake overall, they only want to block outdated plugins not current ones, they are not enforcing click to play experience for everyone.
Also Click to play is not functional perfectly even in current Nighty, as per their platform meetings notes, they will disable all Flash version prior to 11.2 using CTP in FF22 nothing else.

Sorry what part of:
Click To Play is a list of plugins that Firefox blocks from running on the browser. Under the new system, Firefox will soon block all plugins from automatically running, with the exception of the current version of Flash.

and
Once the final implementation of this new system is put in place, Firefox will automatically block the running of plugins such as Java, Acrobat Reader and Microsoft's Silverlight plugin, even if they are updated to current versions by their respective companies.

Did I fail to comprehend?

How is adding more control dumbing down? You can enable any website to run once/always run if you actually read the article. I know for sure I'd rather take the incredibly small inconvenience of manually setting up which sites run which plugins and have a browser fully under my control rather than having a gaping security flaw. Something like IE6 might be right up your alley.

Hollow.Droid said,
How is adding more control dumbing down? You can enable any website to run once/always run if you actually read the article. I know for sure I'd rather take the incredibly small inconvenience of manually setting up which sites run which plugins and have a browser fully under my control rather than having a gaping security flaw. Something like IE6 might be right up your alley.

Yeah nice jump in logic, I don't want auto blocks so therefore I'm dumb and should use an outdated, buggy browser?

Reminds me of UAC for windows. As I already block Java and flash and trackers and ads, I doubt this change would make much difference to me.

Exploits can be placed in ANY webpage or using ads. That's what they are trying to prevent. It has nothing to do with "dumbing down". If they'd implement a proper sandbox, then maybe that would be the better choice. I do agree that there will probably be a way to disable it.

farmeunit said,
Exploits can be placed in ANY webpage or using ads. That's what they are trying to prevent. It has nothing to do with "dumbing down". If they'd implement a proper sandbox, then maybe that would be the better choice. I do agree that there will probably be a way to disable it.

They can't fully sandbox third party plugins... No browser can... That's why Java, for instance, is a security hole on every browser...

The whole point of a third party plugin is that it can do anything that it wants inside the browser. Without this power you wouldn't get Flash being able to use GPU acceleration irrespective of browser GPU acceleration support among other things.

So, no it has nothing to do with how good or bad the FF sandbox is since this doesn't apply to third party plugins!

TheLegendOfMart said,
I don't need a company to dumb down my application because of idiots who don't know how to use them properly.

Looks like it's time to find a new browser.


Stop crying and type about:config in address bar.

I'm all for click-to-play plugin support across the board. Don't know why they think Flash should be the exception. I install specific extensions to enforce click-to-play behavior with Flash. Flash ads need to die.

Shadrack said,
I'm all for click-to-play plugin support across the board. Don't know why they think Flash should be the exception.

Youtube + other videos.

Shadrack said,
I'm all for click-to-play plugin support across the board. Don't know why they think Flash should be the exception. I install specific extensions to enforce click-to-play behavior with Flash. Flash ads need to die.

Now here's a reply that makes sense!

Yeah, why make flash the exception when that crap is as buggy and insecure as java and it's used a ton more than java probably also.

Still think that new way of handling plugins with a pluginwrapper is stupid. I don't use Firefox but have used Palemoon and Waterfox, but it was always trying to make an outward connection, which made me also quit using Palemoon and Waterfox. Definitely DON'T need one crap thing trying to control another piece of crap thing built into the browser.

I think I said that correctly. Confused myself trying to think of how to word it!