{"id":832,"date":"2012-10-11T16:05:54","date_gmt":"2012-10-11T23:05:54","guid":{"rendered":"http:\/\/blog.mozilla.org\/security\/?p=832"},"modified":"2013-05-16T16:32:17","modified_gmt":"2013-05-16T23:32:17","slug":"click-to-play-plugins-blocklist-style","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2012\/10\/11\/click-to-play-plugins-blocklist-style\/","title":{"rendered":"Click-to-Play Plugins, Blocklist-Style"},"content":{"rendered":"<p>You may have <a href=\"https:\/\/msujaws.wordpress.com\/2012\/04\/11\/opting-in-to-plugins-in-firefox\/\" data-blogger-escaped-target=\"_blank\">heard of<\/a> <a href=\"https:\/\/wiki.mozilla.org\/Opt-in_activation_for_plugins\" data-blogger-escaped-target=\"_blank\">click-to-play plugins<\/a> (in short: don&#8217;t load plugins until they&#8217;re clicked). You may have also heard of the <a href=\"https:\/\/wiki.mozilla.org\/Blocklisting\" data-blogger-escaped-target=\"_blank\">blocklist<\/a> (essentially a list of addons and plugins that are disabled to prevent users coming to harm; this includes vulnerable and outdated versions of popular plugins). Now, appearing together for the first time in Firefox Beta, allow me to introduce click-to-play blocklisted plugins!<\/p>\n<p>This is how it looks in action:<\/p>\n<p><a href=\"\/\/blog.mozilla.org\/security\/files\/2012\/10\/ctp-in-action1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-large wp-image-836\" title=\"ctp-in-action\" src=\"\/\/blog.mozilla.org\/security\/files\/2012\/10\/ctp-in-action1-600x478.png\" alt=\"\" width=\"600\" height=\"478\" srcset=\"https:\/\/blog.mozilla.org\/security\/files\/2012\/10\/ctp-in-action1-600x478.png 600w, https:\/\/blog.mozilla.org\/security\/files\/2012\/10\/ctp-in-action1-252x200.png 252w, https:\/\/blog.mozilla.org\/security\/files\/2012\/10\/ctp-in-action1.png 952w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/a><\/p>\n<p>(Note that the popup notification won&#8217;t show itself automatically. This is intentional, so as to not interrupt the user. To open the popup, simply click the plugin icon in the url bar as shown below.)<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-834\" title=\"plugin-icon\" src=\"\/\/blog.mozilla.org\/security\/files\/2012\/10\/plugin-icon.png\" alt=\"\" width=\"267\" height=\"138\" srcset=\"https:\/\/blog.mozilla.org\/security\/files\/2012\/10\/plugin-icon.png 267w, https:\/\/blog.mozilla.org\/security\/files\/2012\/10\/plugin-icon-252x130.png 252w\" sizes=\"(max-width: 267px) 100vw, 267px\" \/><\/p>\n<p>By combining the safety of the blocklist with the flexibility of click-to-play, we now have an even more effective method of dealing with vulnerable or out-of-date plugins. Instead of choosing between vulnerable but useful (by allowing an old plugin to run automatically) and safe but less useful (by completely disabling old plugins), click-to-play blocklisted plugins gives the user the ability to make an informed decision depending on their current activity. For instance, when browsing a reputable video sharing website, a user might feel safe enough to enable a vulnerable plugin in order to view the site&#8217;s content (in fact, the trusted site can be whitelisted using the &#8220;Always activate plugins for this site&#8221; option in the button drop-down menu). Of course, it would be best if the user upgraded the plugin to a secure version, but perhaps they can&#8217;t for one reason or another. In another scenario, they might not fully trust a site they arrive at after visiting a link sent from a friend. In this case, the blocklisted plugin would not automatically run, and the user would be protected.<\/p>\n<p>At the moment, click-to-play blocklisted plugins is a security feature that protects against drive-by attacks targeting plugins that are known to be vulnerable. It does not prevent attacks where a user is convinced to activate a vulnerable plugin on a malicious site. It also is not an all-purpose plugin management system.<\/p>\n<p>This feature is enabled by default, so users are automatically protected. For the adventurous, the about:config preference &#8220;plugins.click_to_play&#8221; can be set to true to enable click-to-play for all plugins, not just out-of-date ones. However, this aspect of the feature is still in development.<\/p>\n<p><span>This feature is currently in Firefox Beta, so <a href=\"https:\/\/www.mozilla.org\/en-US\/firefox\/beta\/\" data-blogger-escaped-target=\"_blank\">grab a copy<\/a>. For more information about the specific plugins we&#8217;re starting with, visit the <a href=\"https:\/\/blog.mozilla.org\/addons\/2012\/10\/05\/prompting-our-users-to-update-their-plugins\/\" data-blogger-escaped-target=\"_blank\">add-ons blog<\/a>. There is also more information in a <a href=\"https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=754472\" data-blogger-escaped-target=\"_blank\">few<\/a> <a href=\"https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=793338\" data-blogger-escaped-target=\"_blank\">bugs<\/a>. <\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>You may have heard of click-to-play plugins (in short: don&#8217;t load plugins until they&#8217;re clicked). You may have also heard of the blocklist (essentially a list of addons and plugins &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2012\/10\/11\/click-to-play-plugins-blocklist-style\/\">Read more<\/a><\/p>\n","protected":false},"author":525,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69],"tags":[],"coauthors":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Click-to-Play Plugins, Blocklist-Style - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2012\/10\/11\/click-to-play-plugins-blocklist-style\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Dana Keeler\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2012\/10\/11\/click-to-play-plugins-blocklist-style\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2012\/10\/11\/click-to-play-plugins-blocklist-style\/\",\"name\":\"Click-to-Play Plugins, Blocklist-Style - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2012-10-11T23:05:54+00:00\",\"dateModified\":\"2013-05-16T23:32:17+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/ceb71f5b00305c4b5fd2028deb101736\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2012\/10\/11\/click-to-play-plugins-blocklist-style\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2012\/10\/11\/click-to-play-plugins-blocklist-style\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2012\/10\/11\/click-to-play-plugins-blocklist-style\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Click-to-Play Plugins, Blocklist-Style\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/ceb71f5b00305c4b5fd2028deb101736\",\"name\":\"Dana Keeler\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/8a8a12f35e73f4f9942eb18d86c4828b\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/72636a193847f1a9c45521d07eb0dc6e?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/72636a193847f1a9c45521d07eb0dc6e?s=96&d=identicon&r=g\",\"caption\":\"Dana Keeler\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Click-to-Play Plugins, Blocklist-Style - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2012\/10\/11\/click-to-play-plugins-blocklist-style\/","twitter_misc":{"Written by":"Dana Keeler","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2012\/10\/11\/click-to-play-plugins-blocklist-style\/","url":"https:\/\/blog.mozilla.org\/security\/2012\/10\/11\/click-to-play-plugins-blocklist-style\/","name":"Click-to-Play Plugins, Blocklist-Style - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2012-10-11T23:05:54+00:00","dateModified":"2013-05-16T23:32:17+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/ceb71f5b00305c4b5fd2028deb101736"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2012\/10\/11\/click-to-play-plugins-blocklist-style\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2012\/10\/11\/click-to-play-plugins-blocklist-style\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2012\/10\/11\/click-to-play-plugins-blocklist-style\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Click-to-Play Plugins, Blocklist-Style"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/ceb71f5b00305c4b5fd2028deb101736","name":"Dana Keeler","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/8a8a12f35e73f4f9942eb18d86c4828b","url":"https:\/\/secure.gravatar.com\/avatar\/72636a193847f1a9c45521d07eb0dc6e?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/72636a193847f1a9c45521d07eb0dc6e?s=96&d=identicon&r=g","caption":"Dana Keeler"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/832"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/525"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=832"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/832\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=832"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=832"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=832"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=832"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}