Mozilla Testing Click-to-Play Option For Plugin Content

Trailrunner7 writes "Mozilla is developing a feature in Firefox that would require some user interaction in order for Flash ads, Java scripts and other content that uses plugins to play. In addition to easing system slowdowns, the opt-in for Web plugins is expected to reduce threats posed by exploiting security vulnerabilities in plugins, including zero-day attacks. 'Whether you hate them or love them, content accessed through plugins is still a sizable chunk of the web. So much so, that over 99% of internet users have Flash installed on their browser,' writes Mozilla's Jared Wein, the lead software engineer on the project, in a blog post."

Why did it take so long?!

Seriously, this is a no-brainer, that has been implemented by tonnes of extensions. So now that we're at version 4000, why is it suddenly a good idea to implement it?

Re:Why did it take so long?!

[b4dc0d3r]

And, it was the subject of an EOLAS lawsuit against Microsoft, who IIRC had to disable automatically running things in IE for a while (maybe they got that overturned before actually having to implement it).

EOLAS invents something, patent-trolls, gets $30million (down from the 500+ originally awarded) and 10 years later everyone starts to realize it's a bad idea!

finally

This should have been the default 10 years ago.

I'm a fan of Java, but I still cringe when I go to a web page and the Java console opens.

for javascript?

[sdnoob]

really? you'd get carpel tunnel if you had to click-to-run every script on most commercial sites these days.

no script is more effective but with a learning curve.

but either method will still have the masses turning the 'feature' off (essentially white-listing everything).

Re:for javascript?

[phayes]

I've been using NoScript for years. You whitelist the trusted sites where you need it & the others are just an occasional click.

Re:for javascript?

[amicusNYCL]

This doesn't have anything to do with Javascript, Javascript is not a plugin. This affects plugins like Flash, Java, and Silverlight.

Re:You mean like

[ElmoGonzo]

FlashBlock, too.

HTML5 has half the frame rate of Flash

[tepples]

i would rather see HTML-5 make plugins like flash obsolete

So would I. But first, someone must fix these problems:

• Make vector animations in web browsers implementing HTML5 Canvas play as fast as they do in Flash Player. This benchmark gives about 40 fps for Flash on my computer and 20 fps for Canvas in Firefox.
• Make a tool to author vector animations.
• Make a way to reliably convert existing vector animated series, such as Weebl and Bob and Homestar Runner, so that they can be played through an implementation of HTML5. Smokescreen goes part of the way toward this.

Re:You mean like

[allo]

i think you need to change the defaults for that. Might be a reason, why some noscript users still use flashblock.

ClickToPlugin

[Maury+Markowitz]

I run ClickToPlugin in Safari for all the reasons above. During general browsing my fan no longer turns on and my battery lasts days.

And SVG is even slower

[tepples]

you need to test scripted svg.

Result of same benchmark with SVG: eight times slower than Canvas.

Re:There's a better solution

[tepples]

As I wrote in another comment, both Firefox's implementation of Canvas and Firefox's implementation of SVG are substantially slower than Flash Player at playing back vector animations. Furthermore, most web browsers don't provide an API for a JavaScript program to (ask the user's permission to) turn on the camera and microphone. Once Firefox's implementation of Canvas becomes competitive in frame rate and once a device API becomes widely implemented, I will become more inclined to agree with you. Until then, SWF is the only way to push certain features out to users of IE 8 who lack permission to install other browsers (e.g. work break room, public library) because Adobe Flash Player is far more widely installed than Google Chrome Frame.

NS

[tunapez]

I've tried this on numerous occasions, the more advanced users eventually click 'Allow Scripts Globally", the less advanced keep calling me until I click 'Allow Scripts Globally".

I personally love it, easy-peasy black/white-list. My other apps do not stutter and bog whenever I scroll a page or open a new one. Pages load faster or not at all(both good IMO). Google's auto-search doesn't clog up my 1MB connection or freeze FF trying to force feed me their assumptions(must remove Goog from pre-loaded whitelist). Minimal ad tracking tools/cookies/malware collecting in my system, bleachbit completes in record time. My whitelist allows mo-add-ons page, my local library and some local devices. I'm typing now with /. & FSDN blocked. With the exception of moderation, the site suits me better with them blocked!

Gnash

[buchner.johannes]

I would like it if one could decide on a per-site basis to play the Flash with Gnash or with Adobe Flash.

Gnash is much faster, plays nicer with the graphic card, and is more secure. I had success using it on several websites.

However it doesn't support many of the newer Flash features, so everyone trying it out will turn away from it.

If there was a "SafeFlash" extension, that would, like HTTPSEverywhere, use Gnash where the website is compatible, a smooth transition away from Adobe Flash (which will be phased out for Linux anyway apparently) would be possible.

Re:Gnash

[hairyfeet]

While that is a pretty good idea there is an even worse bug in FF that they need to address because I'm sure other bad guys will pick up on it and that is the Yahoo porn bug. I call it a porn bug because its seen most often on porn video sites but I've been told the trick is showing up at other places so maybe its starting to spread and the sad part is it ought to be trivial to stop. This is how it works:

Target A uses FF to surf a porn video site. While the video is playing FF is sent a hidden iFrame that loads the yahoo login, FF logs the target in and then everyone in their address book gets porn and malware spam links. This gets around many of the spam filters because its from a non blacklisted account and they don't send more than one or two emails per targeted address and having received a couple from those that were hit it looks like it may be taking random sentences from somewhere (maybe another hidden iFrame?) to get past the filters and look like a legit email.

The fix seems pretty obvious and I honestly don't know why mozilla hasn't done so. All one would have to do is prompt the user on install or upgrade to put a master password on their password store and here is the key have it only ask ONCE per session and no means do not ask again for the session because after telling my users to put a master password they immediately started screaming that it made FF unusable so I put a master password on mine and...wow. it will bug the ever loving shit out of you with constant asking for the master password! I was getting 4 or 5 requests for the master password on just regular sites which tells me that the current password design sucks ass if so many see you are running FF and try to hit it.

So while i'm glad they are working on the autoplay problem I'd say user passwords being threatened is just as big if not bigger and really hope they do something about this in future releases. Since I had a machine I was gonna wipe anyway I decided to cook up a couple of phony Yahoo accounts (along with a phony Gmail and Hotmail) and test this for myself and can say that at least as far as i could tell this bug ONLY affects FF and Yahoo, not Gmail or Hotmail, and not Dragon, Opera, Safari, QTWeb, or Chrome. So I'd say if you have a user or family member that uses yahoo as a primary email you might want to switch them to another browser until they get that fixed. Oh and NO I did NOT test IE because after they refused to backport to XP which is still supported i officially wrote off IE. If you have to replace a supported OS just to stay current on the fricking browser then its no longer a functional choice IMHO.

Oh and since someone always seems to ask the version number the one I tested was i believe 8, FF has been spinning through version numbers so fast lately its hard to keep up and I don't have the time to rerun this test every time a browser has a new release. If someone wants to run the test again its pretty easy, you'll need 1 fake yahoo account along with either another fake yahoo or gmail or hotmail in the address book of the fake yahoo so the bug has an email to send spam to. Then simply start clicking on random porn vids, xHamster or youPorn, any of the major porn sites will do. If the bug is still active you'll see strangely worded spam go to your target account from the yahoo account and that's how you know its still active. Like I said i just don't have the time so after trying several browsers i switched my users and family over to Comodo Dragon since it had both ABP and low rights mode. Since the switch no more strange porn spams so I'd say it was a successful switch.

Re:There's a better solution

[CharlyFoxtrot]

Or the users will just move to the browser that doesn't break things since they won't want breakage.

Yeah, It'd require some consensus between Mozilla, Google and Microsoft although the first two would probably be able to force the issue on their own. Note that Apple's already there with iOS. The future is smartphones and tablets and they're already plugin-free, we just need the desktop to catch up.

yes, please

[Tom]

On anything that is video (animated images count) or audio, I absolutely want confirmation.

I regularily open several tabs in the background, e.g. go through a news site, open all interesting articles in their own tabs, continue until end of summary page, then go read all of them. The next time some audio suddenly starts blasting through my speakers, drowning out my music, and I have to hunt down the fucking window that does it, I'll do berserk.

Seriously, audio in webpages should always require an explicit user start.

What am I missing?

[WillyWanker]

OK, I don't use Firefox, I use Chrome. And I have plug-ins disabled by default, so they all show up as grey boxes. If I want to run one I right click and select Run. How is this any different?