Click-to-play plugin blocks coming in Firefox 17

Jorge Villalobos

30

Firefox 17, coming out today on Beta, introduces a new solution for dealing with vulnerable or outdated plugins. Plugins that are blocked with the click-to-play flag will not load by default, but can be easily activated by users. This gives us a more user-friendly way to warn about plugins that should be updated, that give users better control over their browsing experience.

The large scale plugin update notification we deployed last week used the old update notification mechanism for Firefox 16 and below, and the new click-to-play mechanism for Firefox 17 and above. If you have old versions of Flash, Adobe Reader or Silverlight and you’re on 17, you will see the click-to-play block next time you visit a page that uses one of these plugins.

For more information see this post in the Security Blog.

30 responses

  1. lba wrote on :

    are “search” add-ons (xml files) automatically updated? or must users update them manually?

    1. Jorge Villalobos wrote on ::

      They must be updated manually. They are rarely updated, though, given how simple they are.

  2. Aris wrote on :

    Fx17 plugin changes seem to have a negative effect on HD trailers on “Apple movie trailers” site ( http://trailers.apple.com/ ) and maybe others. While HD trailers can be downloaded using Fx 16 (and older), nothing happens when on Fx 17 beta (1/2).

  3. John wrote on :

    This is a real problem at companies that have administrator locked down… the end users cannot update plugins like Shockwave. I’m finding problems with it, where clicking to let it run doesn’t work. (Nightly 19.0a1 (2012-11-01) )

    1. rpr wrote on :

      I second that.

      1. ceres wrote on :

        yes it keeps req. that i up date,making me nuts .

  4. Roger Watson wrote on :

    I seem to be having problems with you tube as now a click to play button appears and then an error message comes up. Perhaps it could be this new ‘click to play’ update?

    1. Jorge Villalobos wrote on ::

      If you are using Firefox 17 or later, and an old version of the Flash Player plugin, then yes, that’s what’s happening.

  5. Sandra wrote on :

    I very much like the click to play extension so Flash doesn’t start before I want it to =)

    Is it possible to enable click to play for also updated plugins?

    1. Jorge Villalobos wrote on ::

      We will probably move to click-to-play by default in the future, but it isn’t ready now. You can use the Flashblock add-on to get a similar experience.

      1. Byron wrote on :

        Flashblock add-on is needed? I thought there was a pref, something like plugins.click_to_play = true.

        1. Jorge Villalobos wrote on ::

          There is a preference, but I wouldn’t recommend changing it. There is still work to be done before click-to-play is ready to be fully activated.

  6. Torkel wrote on :

    “We will probably move to click-to-play by default in the future”

    I really hope you do! It is a more sane default. And it will make pages using Flash for advertisement load a lot faster and use less memory — making Firefox even more secure and fast.

  7. beerbt1 wrote on :

    Additional FoxTab how to enable click-to-play next? Firefox window, click the extension icon to allow, but do not respond, it can not be activated Additional FoxTab

  8. beerbt1 wrote on :

    How do I enable the plugin FoxTab

  9. dreamer wrote on ::

    I guess this is most relevant for linux, which has been dropped from adobe’s radar.

    Does silverlight also mean moonlight? since that is obviously lagging in its implementation.

    1. Jorge Villalobos wrote on ::

      We have only blocked Silverlight for Windows, and once for Mac OS.

  10. Thrawn wrote on ::

    @Jorge: Flashblock may give a similar user experience to click-to-play, but it’s not reliable; pages have ways to work around it. You should not rely on FlashBlock for security purposes.

    Plus, it only applies to Flash.

    A better solution is to use the NoScript addon. Enable Options-Embeddings-’Apply these restrictions to whitelisted sites too’, and then select ‘Scripts Globally Allowed’. You get reliable click-to-play for every kind of plugin – or a configurable subset of them – plus the ability to forbid JavaScript on demand for sites you don’t trust, plus filters for attacks like cross-site scripting and clickjacking. And it integrates with the built-in click-to-play feature, so when you tell NoScript to allow an object, it automatically tells Firefox to allow it.

    FlashBlock is a great idea – but NoScript does a better job.

  11. Charles Burns wrote on :

    Will the new version of firefox affect Real Player? I like Real Player and use it do download videos. I do not like to change things and then be required to change other things.

  12. DEANNA wrote on :

    I can no longer watch episodes on abc cbs etc… but i can stil on you tube why is that and why will it not let me on gmail anymore either

  13. Paul R wrote on :

    With all these updates, my Firefox is becoming less and less stable with each improvement. The only advancement I see that Really works for me is the option to reopen existing windows before the crash.

    When we were at low single digit versions, I could have open dozens of windows for Weeks with No Problem at all, all the pages I frequent I could keep open and and refresh regularly. and ALL the Captchas worked fine – it was heaven. Now with each upgrade it is a mess, I’m leery about upgrading anymore. I’m lucky if I can have open more then 4 windows for a few hours before it locks up and crashes, this is a daily occurrence, god help me if try to get I-Heart radio working, it WILL lock up in minutes. I tried uninstall and reinstall and all that BS, Nothing works.

    Is there there someplace I can go to get the older versions? and forget the updates.

  14. Gloria R. wrote on ::

    I updated to the lastest version of Adobe Flash in ‘Firefox 17′. Verified by Adobe installed and running.
    I re-started browser, but the latest version for Windows XP is still showing up as outdated when I run the Firefox addons check? This has never happened before.

    I uninstalled and re-installed the latest version, but am still getting the update addon message for Adobe Flashplayer? How can this be fixed?

    1. Gloria R. wrote on ::

      After posting this issue, I ran addons check again, and Flashplayer showing updated? But now it shows my Java addons need to be updated. However, when I check Java, I’m already currently using the latest installed Java 7.9 for Windows XP? Why is it showing I need to update it? Do I need to uninstall and re-install the same version?

  15. Matt wrote on :

    EVERYONE!!!! i recomend using google chrome or something else coz this version of FF sucks balls

  16. John wrote on :

    Hi, a plug in called “Net Usage” Meter Dose not work with the upgraded firefox, any suggestions
    Just shows a “Parsing error S3″ while trying to connect

  17. Paul R wrote on :

    It looks like you need to add the option to “undo” recent upgrade.

    I hope this doesn’t post multiple times, but when I hit submit comment, browser crashed 2 times

  18. Kekepania wrote on ::

    I’m reading mostly negative replies in any updates, also there’s an update (17.0.01) that states it will disable some of my Kapersky settings. Doesn’t sound safe enough to download.

  19. They call me Tim wrote on :

    Add me to this dysfunctional ff family with Ameritrade. It hangs on connecting to dealply for about a minute through the first layer of security and halts completely on the 2nd layer. Someone needs to go back & try again. Switching to chrome so google can track my ever move. Just what I wanted. I’ll check back in a few months to see if it’s been fixed.

  20. blugirl wrote on :

    I’ve installed the latest version of FireFox & the Click-to-Play add in…but when I went to test it, it’s not blocking Flash videos…nor am I seeing the “lego” looking icon to the left of the address bar. This works at my office…but we’re all running Windows 7. The other office that we’re having problems with is running XP. Could that be why? I checked in about:config & it’s enabled. I’m just not sure where else to check.

    1. Jorge Villalobos wrote on ::

      If the about:config preference is set, it should work. However, if that machine is running XP, it might also be running an old version of Firefox. Maybe it’s running a version that doesn’t support click-to-play?