Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Firefox Java Mozilla Security Software News

Mozilla To Enable Click-To-Play For All Firefox Plugins By Default 181

An anonymous reader writes "Mozilla on Tuesday announced a massive change to the way it loads third-party plugins in Firefox. The company plans to enable Click to Play for all versions of all plugins, except the latest release of Flash. This essentially means Firefox will soon only load third-party plugins when users click to interact with the plugin. Currently, Firefox automatically loads any plugin requested by a website, unless Mozilla has blocked it for security reasons (such as for old versions of Java, Silverlight, and Flash)."
This discussion has been archived. No new comments can be posted.

Mozilla To Enable Click-To-Play For All Firefox Plugins By Default

Comments Filter:
  • Need for speed! (Score:3, Informative)

    by sandytaru ( 1158959 ) on Tuesday January 29, 2013 @01:20PM (#42729035) Journal
    Hopefully this speeds up Firefox considerably. I stopped using it because it was so much slower than Chrome at some basic tasks. But considering Chrome is incredibly unstable on Windows 8, I'm willing to give Firefox another chance.
    • Such a simple solution, they already have plugin detection, so they probably just expanded that with an on / off switch. And... nobodies thought of it, I like it, mozilla needs some fresh new features... I still can't get sync to work easily for what I want it to (multiple computers, 1 bookmarks file, idc about mobile devices for those). I'm willing to bet the next versions of chrome and IE will include it though.
    • Re: (Score:2, Insightful)

      by bogaboga ( 793279 )

      I stopped using it because it was so much slower than Chrome at some basic tasks

      Are you a "high speed" trader?

      What real useful difference does it make? Seriously?

      • Re: (Score:3, Funny)

        by Anonymous Coward

        I stopped using it because it was so much slower than Chrome at some basic tasks

        Are you a "high speed" trader?

        What real useful difference does it make? Seriously?

        Step 1: Crippling addiction to absorbing information from the internet at all times.
        Step 2: Run out of information to absorb from familiar places.
        Step 3: Boredom.
        Step 4: Find new place from which information can be absorbed. That new place discusses application speed and responsiveness with nanosecond resolution.
        Step 5: Absorbed information must be used! Develop brand new crippling addiction of obsessing over browser speed.
        Step 6: ???
        Step 7: Gain attention by complaining on public forums! Which is a form

      • The thought of high-speed traders working through a web browser amuses me.

        If they are so time sensitive that mere seconds of delay could through them off, they should not be using a consumer-level OS and browser, but something a bit more realtime.

        • they should not be using a consumer-level OS and browser, but something a bit more realtime.

          Like...?

          • I don't know, some proprietary system most likely. I have visions of some crappy AS/400 terminal that does the work on a trading system mainframe.

          • by lennier ( 44736 )

            they should not be using a consumer-level OS and browser, but something a bit more realtime.

            Like...?

            A Cyberdyne Investment Systems T-1989 Model 101 Tradinator (tm) rapid-response tactical securities infiltration, acquisition, monetisation and arbitrage platform. With optional cup holder and social-gaming connector.

            I'LL BE BANK.

          • they should not be using a consumer-level OS and browser, but something a bit more realtime.

            Like...?

            A well-tuned consumer-level OS and a dedicated trading GUI?

    • by Cinder6 ( 894572 )

      Chrome works fine on Windows 8 for me. Of course, I've gone back to Firefox, but for different reasons.

      • Comment removed based on user account deletion
      • I keep getting nasty "page has stopped responding" on everything from Facebook to Gmail. I keep hoping the flurry of updates they're sending out will fix it. This just started in the last week or two and it's getting quite frustrating. Hopefully the Google guys are getting the crash reports I keep filing...
    • Let me guess, your need for speed is so you can get first posts...
      • Did I get first post? I never even check that sort of thing. I just know that if a story has no comments on it yet, that's probably a lie and proclaiming "first post!" is going to either get me nuked to oblivion or make me look like a fool. So I don't.
    • I use Chrome on Windows 8 and I haven't had any problems with (no crashes or other odd behavior). Maybe it's you.

    • Hopefully this speeds up Firefox considerably. I stopped using it because it was so much slower than Chrome at some basic tasks.

      Eh? Firefox is so much faster than Chrome that I really wonder why would you spread disinformation like this. Or perhaps, your Adblock setup is lacking (or, horrors, missing at all). The default stops only visible ads, while Every. Fucking. Page. On. Teh. Internets. has a screenful of hidden trackers/etc that really slow you down.

      NoScript would be tempting, except that in today's Web2.0, too big a part of pages is useless without manually mucking with permissions. Yet even without it, Firefox is so much

      • I think you are looking for Ghostery...

        https://addons.mozilla.org/en-us/firefox/addon/ghostery/ [mozilla.org]

        With apologies to Southpark: "They put the trackers on their webpages over there, and... they're gone."

        • Ghostery is too simplicistic, too inaccurate and too uncontrollable for heavy users, although it indeed may be a good solution for nontechnical users (ie, a vast majority). Adblock can do everything ghostery can, except that you need to configure it to do so.

          When coming to a new page I have a hunch may include something nasty, I ctrl-shift-V ("Open blockable items") and glance at the list, looking for something that needs to be swatted. Obviously, quite a few folks shared their lists so you don't need to

          • by higuita ( 129722 )

            If you want control check noscript + requestpolicy.
            You have total control what you load on the browser.

      • Actually, AdBlock crashed yesterday too! (In addition to all the regularly schedule dying Chrome pages.) I was rather amused by suddenly seeing advertisements in places I hadn't realized they existed, like on right sidebar of Facebook.
    • by jonadab ( 583620 )
      > Hopefully this speeds up Firefox considerably.

      You know what speeds up Firefox considerably?

      Noscript.

      It's amazing. I expected it to make some difference, but it had MUCH more impact than I imagined possible. Apparently about 99.8% of page "load" time is actually not spent loading page content, but executing completely gratuitous client-side scripts, most of which you never even realized were there, because they don't do anything the user would ever notice much less care about.

      Occasionally you will run
      • by fatphil ( 181876 )
        Why is your post not already at +5 insightful?

        Everyone's playing around with JIT compilers to make javascript faster (there must have been a dozen such announcements over the last few years from all major browser vendors), when the reality of life is that the way to make it fastest is to not run it at all.

        Speed-wise, for many sites, there's seems to be a half-way house by using AdBlock instead of having NoScript activated. At least then a large proportion of the loads that are initiated by javascript turn i
  • by Torp ( 199297 ) on Tuesday January 29, 2013 @01:20PM (#42729037)

    Subject says it all... why enable flash by default? Even if it didn't have any security holes, it's still the great battery eater...

    • Quite a few pages have hidden flash elements that are vital to the operation of the page. Most web music players, for instance. Blocking flash by default would break quite a few sites.

      Software developers—and browser makers in particular—have to weigh security against user experience.

      • by Secret Agent Man ( 915574 ) on Tuesday January 29, 2013 @01:37PM (#42729333) Homepage
        Which is why Chrome's Click to Play also puts a puzzle piece in your address bar, which you can click to run all plugins on a page once or all the time for a given domain. Does Firefox do something similar? There are lots of cases where there's no clickable space to enable a third party plugin.
      • by Cajun Hell ( 725246 ) on Tuesday January 29, 2013 @01:53PM (#42729529) Homepage Journal

        Most web music players, for instance. Blocking flash by default would break quite a few sites.

        Some peoples' "broken" sites are other peoples' "fixed" sites.

      • Comment removed based on user account deletion
        • by Merk42 ( 1906718 )
          So you're suggesting Firefox doesn't follow the W3C/Whatwg standard?

          I'm sure if it were spun as "iOS refuses to follow standards for <video> tag" you'd be up in arms.
        • by tlhIngan ( 30335 )

          Also: do I need to guess that it's still not going to be the case that it'll be possible to prevent HTML5 video from playing if the bastards building the page have made it auto-play? NOTE TO MOZILLA: _nobody_ wants this. Nobody. There is nobody in the world who wants a massive multimegabyte video to download and start playing unless they've specifically acknowledged they're ready for it. I don't give a rat's ass that you've seen sites considered legit like Youtube auto-play videos, even Google f---s up from

          • by znark ( 77857 )

            And yes, YouTube's autoplay is very annoying, espescially if you open the video in a new tab. I wish I knew how to just have it disabled globally.

            There’s a GreaseMonkey [wikipedia.org] “user script” called YousableTubeFix [userscripts.org]. If installed, it helps getting rid of many YouTube annoyances – including the completely needless autoplay feature.

      • by rmstar ( 114746 )

        Quite a few pages have hidden flash elements that are vital to the operation of the page. Most web music players, for instance. Blocking flash by default would break quite a few sites.

        True, although many sites, especially fash-heavy ones are only bearable when broken.

        The web music player issue can be solved in firefox with flashblock by right-clicking on the icon, and unblocking all flash content from that site.

      • Quite a few pages have hidden flash elements that are vital to the operation of the page. Most web music players, for instance. Blocking flash by default would break quite a few sites.

        I consider that a feature ... any site I hit that whines it needs Flash gets the back button, and subsequently ignored.

        Except for my work machine which I periodically need Flash for something annoying but required, I pretty much don't even have it installed.

        As a user, if your site requires Flash, you'll likely never see me aga

      • I've been using Flashblock for years and I don't think I've ever had this problem (closest is Veoh, where you have to click on the plain black video area to make it work). Hidden elements appear as a flash object in the upper-left corner of the page.

      • Firefox's FlashBlock (click-to-play for Flash) extension works just fine. I don't have problems with sites being broken - or at least I don't notice they're broken. And if they're really broken (IE-only kind of sites, they still exist) I just get a blank screen.

    • by gQuigs ( 913879 )

      Flash is used on an order of magnitude more sites. See: http://w3techs.com/technologies/overview/client_side_language/all [w3techs.com]

      I think they should (and will) eventually.. maybe start with any site that has more than 3 flash objects. Then more than 1. Then click to play on all flash. It does make sense to do flash more gradually.

    • by Tridus ( 79566 )

      Probably to make sure the creators of FlashBlock still have something to do.

    • The problem I ran into w/ FlashBlock was needing a ton of whitelisting. And for silly things even, like playing sounds.
      For example, gmail would use flash (don't know if it still does) for the ping when someone sent you a chat message.
      It created that invisibly, so FlashBlock didn't work - I guess prompting would, but it wasn't obvious what people were whitelisting.

      Another one that did that, the game Enlightenment would use flash as a fallback after attempting HTML5 sound w/ mp3 only (no ogg fallback) so al

      • Oh. Then there are sites that use "detection" code and won't even show you a click-to-play area on the screen. They'll simply bounce you to some error content if they fail to create the invisible flash content.

        Hopefully this sort of poor behaviour is becoming rarer. Esp since Firefox on my Android tablet/phone prompts for flash too, which will hopefully drive some website awareness.

    • I haven't looked at the code to verify why it is that sites don't work, but I see a lot of news sites in particular where the videos don't play if I have plugins on click-to-play in Opera. The CNN video page is one example, the videos just don't start. I suspect that there is some Javascript that is injecting the Flash movie in a way that I don't even see it to click on it to enable it, but like I said I haven't looked at the code for the sites that don't work. I go to Chrome when I come across a site li

    • by colfer ( 619105 )

      JQuery can eat up cycles too. A common replacement for Flash animation is the jQuery "Cycle" plugin. Well, jQuery sets 13ms timeouts by default for effects. If I have two or three of those things running in ads on a page, my laptop's fan kicks on. The parameter, jQuery.fx.interval, is not that well known, and a developer on a decent system would not notice the CPU overuse. The 13ms resolution is not really needed for simple slideshows.

      • by colfer ( 619105 )

        To be clear on jQuery effects, I'm talking about Javascript with no browser plugins, just those big redundant ad js files that often rival the total byte size of the images on a page. Flash is at least compact. (I develop with js instead of Flash, but I try to keep it reasonable.)

    • Once I switched to a YouTube downloader for FF ( "Easy YouTube Video Downloader" https://addons.mozilla.org/en-us/firefox/addon/easy-youtube-video-downl-10137/ [mozilla.org] ) there is almost zero reason to even have flash installed anymore except for the odd Web Game. i.e. These 2 have excellent gameplay:

      Gemcraft - Chapter 0
      http://armorgames.com/play/3527/gemcraft-chapter-0 [armorgames.com]

      Desktop Tower Defense
      http://www.kongregate.com/games/preecep/desktop-tower-defense-1-5 [kongregate.com]

      • Once I switched to a YouTube downloader for FF

        Youtube downloaders are good. I have one installed for when I want to download the videos. If you want to play them instead, here's a good option:

        http://userscripts.org/scripts/show/87011 [userscripts.org]

        It plays they embedded or fullscreen, but using MPlayer, so even my venerable eee 900 can keep up with moderately HD video (not 1080p).

        But yeah, I have flash on faster laptops for tower defense games too.

        Have you tried the Creeper World series?

    • by jrumney ( 197329 )
      The first add-on I install for Firefox: https://addons.mozilla.org/en-US/firefox/addon/flashblock/ [mozilla.org]

      I suspect the main reason I install this is the main reason Mozilla don't want to disable Flash by default: annoying animated ads.

  • by idontgno ( 624372 ) on Tuesday January 29, 2013 @01:22PM (#42729071) Journal

    I found it Reading the Fucking Article:

    Going forward, Mozilla will essentially be blocking all plugins except the very latest version of Flash. The company won't say why it is exempting Adobe's plugin, but it's most likely because users expect their videos to play automatically (and advertisers expect their ads to load automatically).

    Emphasis mine.

    "Follow the money." That's a reason I can understand.

    Makes me glad I usually run with Adblock and NoScript.

    • Flashblock+adblock. they're not illegal. They solve all your problems in that regard.

    • by sycodon ( 149926 )

      And here I though watching porn was going to get a bunch easier.

    • So for me, nothing will change - I'll still have to keep FlashBlock installed.

      Seriously... if I could only enable one plugin, it'd be FlashBlock - even over AdBlock. It makes the web significantly better, and - after several years of use - I still only have a handful of sites (like YouTube) whitelisted. Flash just isn't necessary for most things.

      • I completely uninstalled Flash along with Java about a week ago, and haven't looked back since. Whenever something doesn't work without flash, as cool it as may be, I can *always* answer the question with "do I need this, as opposed to just wanting it?" with a resounding no... your mileage may vary, but I dare doubt it does :P http://www.youtube.com/html5 [youtube.com] is working better and better for me, too.

    • by jfengel ( 409917 )

      Ah, thanks. My first thought on reading TFS was, "Oh, perhaps I could consider skipping NoScript," and wondering whether I'd miss its Javascript controlling features as well.

      But no, enemy #1 is still there, so NoScript stays firmly in place.

      Note to advertisers: I do NOT run with AdBlock. Just NoScript. Ads, yes. Singing dancing flashing noisemakers, no. And yeah, I have Javascript blocked, for the same reason. If that means that the site is unusable, then I will find an alternative that pisses me off less.

    • Going forward, Mozilla will essentially be blocking all plugins except the very latest version of Flash. The company won't say why it is exempting Adobe's plugin, but it's most likely because users expect their videos to play automatically (and advertisers expect their ads to load automatically).

      Emphasis mine.

      FFS, you're bolding and ranting like that's the word from Mozilla when what you are quoting is uninformed speculation from the author of the article (though it very well may be true). I suspect the average user being confronted with what is, to them, an error message when they go to youtube.com (or any number of other flash reliant sites) might have some bearing in the decision.

      • You're right. I'm emphasizing speculation. Credible speculation, IMHO. And probably in the honest opinion of anyone who's paying any attention.

        Maybe I'm too cynical. More likely, you're not cynical enough.

        • by roca ( 43122 )

          The real reason is that Flash gets used a lot --- much more than any other plugin --- so leaving the latest version of Flash unblocked and blocking everything else gives the best tradeoff of attack surface area reduction vs user convenience.

          But don't let me disrupt your enjoyment of your own cynicism.

    • I use Flashblock, NoScript, BetterPrivacy, Ghostery (with GhostRank aka Plugin-Based Analytics disabled) and CookieMonster but not Adblock. I allow the unobtrusive ads to appear on purpose.

      Adblock is good for dial-up users though.

      • by Luckyo ( 1726890 )

        Adblock plus had an option to allow unintrusive advertising for years now. They even maintain their own database on which advertising is intrusive and which is not.

    • I found it Reading the Fucking Article:

      Going forward, Mozilla will essentially be blocking all plugins except the very latest version of Flash. The company won't say why it is exempting Adobe's plugin, but it's most likely because users expect their videos to play automatically (and advertisers expect their ads to load automatically).

      Emphasis mine.

      "Follow the money." That's a reason I can understand.

      Makes me glad I usually run with Adblock and NoScript.

      Um, remember Windows 7 and the "OMG I have to click 'Open' every time I want to open an application?'

      It's annoying. They just bypassed the annoying by allowing the plugin that's used almost everywhere. Secure? No. Convenient? Yes. Threat? Who knows?

    • by Luckyo ( 1726890 )

      This is basically yet another case of mozilla trying to implement functionality that is already done better in a widely used plug-in or extension. It's also yet another case where they do it in a much worse way.

  • I predict chaos (Score:5, Insightful)

    by Phoenix Rising ( 28955 ) on Tuesday January 29, 2013 @01:27PM (#42729177) Homepage

    While we as technical users might enjoy a plugin-free experience with no extra clicking involved, the average Joe User is going to be pissed off.

    I run with NoScript - does pretty much what Mozilla wants to do (plus script blocking), except without the big gray box. The average user is not interested in NoScript type functionality - they want a rich web experience out of the box, and if that includes Flash, PDF files, and audio, then that's what they want.

    I suspect the reason Flash is turned on isn't because of ads - it's because there are a number of high profile corporate websites out there that become unusable if Flash isn't enabled.

    • Also some Flash objects do not have a visual presence, and in fact sit off the screen since they do other things. I believe Google's Pacman logo uses Flash to power sound in IE (since it doesn't support HTML5 audio).
      • A lot of those are just for the Flash tracking cookies.

    • Re:I predict chaos (Score:4, Insightful)

      by Dragonslicer ( 991472 ) on Tuesday January 29, 2013 @04:11PM (#42731339)

      While we as technical users might enjoy a plugin-free experience with no extra clicking involved, the average Joe User is going to be pissed off.

      I know this can be a dangerous idea, but I think you may be underestimating the average user. I suspect the conversation will go something like this:

      Average User: Hey, why doesn't the video play automatically anymore?
      Other Person: You have to click the big Play button first.
      Average User: Oh, okay.

      The average user probably won't ever understand why they have to do it, nor will they care, but they'll be able to repeat the necessary step(s).

      • Average User: Hey, why doesn't the video play automatically anymore?
        Other Person: You have to click the big Play button first.
        Average User: Oh, okay.

        The average user probably won't ever understand why they have to do it, nor will they care, but they'll be able to repeat the necessary step(s).

        But they're not clicking the big 'Play' button - they're clicking the 'Are you sure you want to enable this possibly dangerous third-party software' button, and it is altering (read: degrading) the experience the web page designer intended to present to the end user.

        And depending on what they just enabled, after they click the "we'll try not to make this scary warning too scary" button THEN they might have to press the 'Play' button that shows up.

  • by empties ( 2827183 ) on Tuesday January 29, 2013 @01:29PM (#42729201)
    What will I do with the excess memory if plugin-container.exe doesn't get out of hand anymore? Or perhaps we'll see a new big process: plugin-container-container
  • The features tacked onto HTML5 like <audio> and <script> aren't considered a plugin, thus writing your animation w/ sound in it would seem to bypass the new default click-to-play. Ah, but it doesn't matter anyway since they're not making Flash click-to-play. So either this will make annoying BS more difficult to block without breaking the site, or it stengthens Flash in opposition to HTML5. Now browsers will be even less usable without NoScript and AdBlock.

    Either way you look at it HTML5 is dead to me; It's been 13 years (half the age of the Web) and we're still stuck on HTML 4.01... Time to give up folks, HTML6 won't arrive before the Singularity. The Web even tanks as a cross platform dev platform -- I can make pixel perfect feature rich cross-platform native application for Linux, Win, BSD, OSX, Android, iOS in 1/3rd the time it takes me to ensure the same "web app" works in all the browsers and OSs. It was a bad idea to begin with -- Hack together the most inefficient scripting language and a stateless static document display engine to create stateful internet enabled applications (Every damn site is a stateful application now). HTML is ugly, and pointless. Long live the Internet, but Fuck The Web.

    • by Corporate T00l ( 244210 ) on Tuesday January 29, 2013 @02:29PM (#42730021) Journal

      I can make pixel perfect feature rich cross-platform native application for Linux, Win, BSD, OSX, Android, iOS in 1/3rd the time it takes me to ensure the same "web app" works in all the browsers and OSs.

      I want whatever development tool chain you're using. Just dealing with the different installer mechanisms on those platforms makes my head spin. What's your secret?

    • Indeed. The web should have been low level virtual machine combined with low level (opengl) graphics.

      Instead, they (w3c or whoever) decided that the web should be programmable by novices, so they made HTML and it sucked for real software engineers.

  • If Click-to-play was enabled on all browsers for all plugins there would be less tendency to use useless plugins to make a website pretty.

    It's not like Flash is security-bug-free. You could also use a flash plugin to store a flash based cookie if the browsers privacy settings don't accept your traditional tracking cookie...

  • is that Eolas won in the end? LOL

  • by Chuck Chunder ( 21021 ) on Tuesday January 29, 2013 @05:49PM (#42732283) Journal
    Remember back when the EOLAS patent [wikipedia.org] was being waved about and it was suggested that browser makers may have to implement "click to play" to avoid it.

    Strange that a year after EOLAS gets their arse handed to them in a Texas court we get to a similar place for entirely different reasons.
  • Hopefully there will be some way to enable silverlight automatically without clicking, otherwise Netflix on a PC is going to suck even worse...

    Regards,
    -Jeremy

  • Hopefully this will mean a complete rewrite of their click-to-play setup, including fixing this incredibly annoying misfeature of Firefox 19:

    http://forums.mozillazine.org/viewtopic.php?f=38&t=2644157 [mozillazine.org]
    https://bugzilla.mozilla.org/show_bug.cgi?id=820678 [mozilla.org]

    As far as I can tell, this whole aspect of firefox was never designed properly. It grew into an unmaintainable mess, and now they're having a hard time finding their way out.

  • The ability for websites to activate plug-ins has been a security issue for a long time.

They laughed at Einstein. They laughed at the Wright Brothers. But they also laughed at Bozo the Clown. -- Carl Sagan

Working...