Slashdot Mirror
Firefox's Blocked-By-Default Java Isn't Going Down Well
JG0LD writes "The Firefox web browser will, henceforth, require users to manually activate Java objects on sites that they visit, Mozilla has confirmed. This even affects up-to-date versions of Java, which you can see on the block list. The change is aimed at improving security and moving away from a dependence on proprietary plug-ins, but critics say it will cause untold headaches for developers, admins and less-technical end-users. "
Users hate authorizing things, and become trained drones blindly okaying everything anyway.
As security models go, it's a poor one.
They should probably get their heads checked, why are they making Java apps for webpages still?
Having problems for the past hour with cursed Java on my Mac. Really pisses me off that my Insteon controller absolutely requires it to update the system!!!
The developers can suffer, why the hell does a web page need to run 50 scripts for goodness sake!
I'm not a developer, but I'm pretty savvy with computers. So the first time I got that message, I went and updated Java. Fixed it, right? Nope. So I clicked around, and finally accidentally clicked on the little red icon up in the menu bar. Success! Now it gave me an option to run it. Which popped up another window asking for permission. Dear Firefox: You have a small portion of the browser market. Making yourself a nuisance by breaking big pieces of the web is not intelligent. It just drives people to chrome, or IE. Especially everyday users who don't want to screw around and just want things to work.
just implement all functionality in JS instead, (damn the performance) - they've already ensured that the 'less technical users' won't disable *that* sucker.
They are coded for IE 6 and maybe up to IE 8 if it is very cutting edge with new css 2.1 glory.
In other words banks and corporate apps. The rest have moved on to flash and ajax last decade.
Webapps in java were a way to makup the shortcumings in Netscaoe 3 to imitate html 5 and ajax today. Obsolete and done
http://saveie6.com/
moving away from a dependence on proprietary plug-ins
Like the browsers themselves?
Hey maybe we can get all the people at Adobe and Oracle laid off the same week. Wouldn't that be fun?
Isn't it great how the web is moving away from "proprietary plug-ins" and straight into proprietary mobile devices?
And look at the web users cheer. The people who built the web would recoil in horror at what you have allowed to happen to the Internet.
I give it five years, maybe six, and the Internet will be completely walled off by a McDonalds logo.
Firefox will be exactly what Scott Adams predicted...
http://dilbert.com/strips/comic/1995-03-25/
Applets may be "The Debil", but they also fill a need that can't be filled by Flash or HTML5.
Mozilla needs to get over themselves.
Java is huge in the business back end, but front end Java just leaves a bad taste in the mouth of users. Slow, bloated, painful to use and kinda salty.
Yay me!
"it will cause untold headaches for developers, admins and less-technical end-users"
Wait, we're talking about the endlessly incompatible point-oh-oh-one releases of the Java plugin, right?
I want to delete my account but Slashdot doesn't allow it.
It's been great knowing you over the years. So sorry that the shot you intended to put through your foot went the other direction and blew your brains out.
Seriously, what kind of bubble to the idiots making these decisions live in?
Meaning you only have to authorize 2 or 3 domains once. And your good to go.
Noscript (which ive used since forever ago) works fine with sites like youtube or google.
They want our business so make it easy to whitelist. Same with hotmail.
Now, more shady sites or lesser known pages (blip tv) with amateurish developers or packages with shady ad hosts have 100+ objects to unblock. I basically don't bother with the web unless its plain text readable or mainstream anyway.
Captcha: capable
Meaning its capable to deal with java and not need a fucking crazy system of linking to multiple resources. Even /. can tell the future.
We'll see. I've been running the FlashBlock plugin for years (to manually enable flash elements) with VERY FEW adverse effects. I doubt having to manually activate Java elements will be any worse.
sig: sauer
There are two ways to improve security - lock out the user, or educate them.
Locking out the user is great - but it only works on NEW products, and if you don't have competitors. The reason it works well on NEW products is that the user isn't conditioned on what to expect. Remember, trying to change how people use their computer is an uphill battle. It works well when the do not believe they have alternatives.
Educating the user is harder, but that is the real fix. You aren't improving security by saying 'As responsible devs, our software won't do what you want'. Instead, make a two minute video showing them how $technology is flawed, and make them watch it ONCE. Then, let the choose whether to block $technology or live with it. Because right now they get fed up with Firefox (NOT Java), and click the little blue e.
And yes, it isn't a great hassle to keep using FF when you allow users to "click to allow $applet". But the pain is that I need to look at the little red icon in the address bar to permanently enable something. You might say that if I can't handle this additional step, I shouldn't be making a choice on whether to run an applet or not (but that is a bad road to head down). You could have just made a popup when I run an applet that says "Do you want to remember this setting?" - it doesn't fix the security problem, but the current solution doesn't either. At least this way, I don't feel frustrated at my browser for someone else's (Oracle, in this case) screw ups.
Developers need to get used to the idea that they can't count on either flash or java being present on the client end. That's just the way it is.
As someone who quite likes Java for server side applications, I am happy to see more nails in the coffin for applets.
In fact, I just recently spent a couple of days writing some HTML+CSS+JS code to replace the functionality of the last couple of Java applets on our web site at work that were in place for at least 7 years. It was quite easy using modern standard features and libraries like jQuery.
And during this process, with two of my testers, I found that IE would give all kinds of warnings about the applets when the Java plugin was enabled, but then DISABLING it caused them to just RUN with no questions asked. WTF!?
I've got Java blocked by default, Javascript, cookies, flash, ads, and trackers blocked by default too.
Never causes me more than a few seconds bother.
This is overblown like crazy
an anti-vote button. I am willing to bet the vast majority of users would disagree with this move.
Firefox's handling of Bugzilla has been terrible for years. It is the primary reason I switched from Firefox to Chrome. I was tired of the one-way communication, especially coming from a so-called open-source project.
I've had about enough of Mozilla's arrogance and stupidity.
Ohh so that's why my ebanking stopped working on firefox. Thanks guys!
Firefox has now increases the work load, now I'll have to press that damm warning button everytime.
If you're one of the select few that still uses applications coded in that piece of trash, well, complain to your vendor or find a new piece of software. I haven't used a java application in years. Like 10 years.
My laptop went bad about a week or so ago, and I wiped it and have been reinstalling. One item is a VPN connection client that allows me into my University network from home, so I can access software licenses and work on my labs. This is for an MS degree in Electrical/Computer Engineering. Firefox forbade that from installing on my recovering laptop (Win 7 Ultimate 64) and so I was forced to use MSIE just to get my link installed and configured. Sorry Mozilla, but you did prevent me from doing something tremendously important to me, and there was not a thing to click on to activate Java in this case.
The whole point of all that byte-code stuff and just-in-time compilation was to keep Java programs in a sandbox where they couldn't affect the rest of the system.
FAIL.
How to enable Java if its been blocked
So, now, the lastest version of Java (7.45) is considered outdated.
Absolutely brain-dead decision.
You are being MICROattacked, from various angles, in a SOFT manner.
Oracle Java has ALSO decided, due to the persistent security problems due at least in part to having concurrent (i.e., old) versions installed (and the fact that the largest exploit kits have used Java as one of their main vectors for some time now, alongside Adobe Reader of course) to disable Java plugins in the browser by default in recent updates.
So, what's the big deal? This is the correct decision from a security perspective. I can't remember the last time I saw someone on the World Wide Web actually USE a Java applet for good, rather than for evil. And I'd have noticed, because even after all these years, it still runs like an absolute dog. It's the kind of thing you might use on a local application (such as Minecraft, which is what I think probably most people who still have it installed use it for now, albeit they'd likely have the 64-bit version which wouldn't have a working browser plugin in a 32-bit browser anyway!) or an intranet site (which is your administrator's problem, to re-enable it for that site only, or to use a different browser for the web and the intranet, which you can totally do and is good practice).
I've got many other criticisms about Firefox recently from a security and performance perspective - let's face it, it's just not the zippy, efficient browser it used to be, even relatively-speaking, it's lost its mojo and the security team have a reputation for having a slow, and fairly arsey, response - but this seems to be the right decision and they should be lauded for it. IE has also done it, as has Chrome.
I don't get it why people hate Java applets so much they want them to go altogether. It's true that they have been overused (in the 90s?) and HTML5 usually yields nicer results on a web site. But Java applets fill an empty niche: they are the only portable solution to actually do something on a client computer aside from doing UI, like accessing the file system and launching external applications.
For example, I have a Java applet which downloads, decompresses and processes data from a bug tracking system. How should I implement this in HTML5? Or in Flash, which is hardly better than Java? Or would Active-X have been better? Really?
Now being a Chrome user, I already know the behavior now implemented in Firefox and I hate it. I don't see any rationale in generally distrusting Java and generally trusting Flash, for example. By the way, Java asks for permissions to run an applet itself after it's launched, no need for the browser to do it, too! And unlike Chrome, Java will allow you to trust a signed applet forever, so that you don't have to pass through the procedure every single time the applet is launched.
8 out of 10 browser exploits in the wild get in through Java.
Just remember to smile as you leave.
Virtually any bug in Firefox's Bugzilla that isn't purely technical ("frob the whizzlork") has some amount of complaining after it's been fixed, and maybe before it's been fixed, and while it's being fixed. This is pretty light in the grand scheme of things; you should see the pages and pages of griping about the status bar.
Whitelisting by site is exactly the correct behavior for an untrustworthy plugin. Give it a week or two for everyone to get used to this radical change in technology (push a button?!) and we'll all forget about it.
From Link:
First I've heard that Java 5 and 6 are not considered dead yet.
You are being MICROattacked, from various angles, in a SOFT manner.
You obviously know what you're talking about. I would like to subscribe to your newsletter...
I use firefox and haven't encountered a singled issue with java not working... that is because I can't even remember the last time I saw a site with an applet.
Really this is a non-issue that will go the same way as active-x support. Only people in Korea will care.
If you are still developing/depending on applets, 1995 called they want their stupid ideas back. What next, your mail link is an animated gif?
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
My mother learned in 10 minutes how to enable java script with noscript/flash. She is not technical savvy , but I explained it to her at her level. She got it. I expect a good slice of those using FF now "not getting it" are those not wanting to learn.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
You are being MICROattacked, from various angles, in a SOFT manner.
Must we have this troll comment every time someone mentions Java applets?
Java applets are commonly used, as they have been for many years. According to this Chromium blog post from September 2013, 8.9% of Chrome users had launched something using the Java plugin in the past month.
Among the common uses that get mentioned every time this discussion comes up are: public access to banking and government systems in various countries, games, user interfaces for devices (scientific equipment, network infrastructure, all kinds of examples), access to local hardware devices that aren't yet available via newer technologies, some popular teleconferencing and VPN software, and little demo graphics written by academics to go on their web sites a decade ago that are still just as relevant today.
In other words, just because you don't use Java applets yourself or know when they're still useful, don't assume everyone else is in the same situation.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
You do understand that without those Bad Things you so hate, there probably wouldn't be a Web worth saving, right? Someone has to pay the bills, and if you're not going to pay for content, you're not going to accept advertising, you want full privacy and security when using services you're not paying anything for... Who is going to write the cheque?
I hate DRM and spammy ads and privacy invasions as much as anyone -- more that most, probably, given that I really do give up on some things most people accept because I refuse to support the intrusions. But still, we live in the real world, and you can't just wish Bad Things away without proposing Better Alternatives. BTW, "everything I want should be free and unencumbered" is not a viable Better Alternative.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
My take seems a bit different to most of the posts so far. The guys at Googzilla known things about sotfware that most of us mortals don't. I coded for 25+ years, but today's current stuff - there are many better experts. They found somethihng, they are protecting the (mostly dumb) end users.
Personaly I didn't like the smell of Java from day one. At my one job they suddenly got in a surge of Java-only coding kids from the Java-only schools (uni's and colleges) of the late 90's. Over the years since then there have been so many secuurity issues, breaches, etc - all featured here on slashdot - that I've lost count. But every time, I secretly smile inside... "vindicated".
Where do you find this "vast majority of users" who loves Java applets so much that they don't want to convice web developers to stop using the crap?
Java applets sucked 15 years ago, and they still do. Any web developer who still hasn't figured that out, deserves to be out of his job.
Not only a security problem, that's just the surface, but the smothering care of Oracle plus the whole 1999 feeling makes for a combination that made this step necessary years ago.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
I suspect this will either be backed out, until mozilla pull their finger out and sort through their UI issues first. Or it'll end in litigation.
We've made more than enough concessions to the 'less-technical end-users' already. I for one am sick of people who expect to be able to use a machine as complex as a computer without having the slightest clue as to how it actually operates. Mozilla is on the right track here. Security needs to come first. Also, /. needs a new category just for NSA-related articles...
Thank you, Firefox. You're doing the world a favor.
Firefox continues to get worse with every update.
html5 can replace flash, check this link on how firefox can replace flash
still not perfect, but getting better. it will replace flash, just like PDF.js can replace PDF plugins in browsers
Higuita
I am an administrator and sometimes a developer. I must say that i really don't like java applets, and I kind of love Mozilla for taking java plugin support out of the browser as default. As long as this helps remove java plugins in the long run, i am all for it. And i really think Mozilla should have a big cudos from everyone, for taking the heat for this.
I guess they can even run javascript inside the same VM, so a unified approach.
In fact they already have a VM they use for javascript (the whole -Monkey family), and their VM is even able to compile to native. Not only JIT, but even more so for specially crafted javascript called ASM.js (it standard Javascript, that only use those features which translate nicely into machine code: doesn't use dynamic typing, only uses safe typing, etc.) enabling near-native speed for some code.
In theory, it should be possible to create a process which recompiles java byte-code into ASM.js and feeds it into the VM for nearly-native speeds.
In practice, Java is a huge pile of complicated mess, and thus lots of applications end-up being highly dependent on Sun/Oracle/IcedTea Java and not run well on any other implementation (like GCJ), mostly because of missing classes or whatever. So you'll end with something as good at running Java as currently Gnash is at running Flash - more or less works broadly on theory, but breaks on lots of specific cases. Given the current market for java (bazillions of inhouse applet in businesses) it is going to be hard to test every case. Whereas Gnash only breaks on some stupid casual games and video player for cute kittens (and pr0n), a Java-reimplemented-in-the-browser would probably break business intranets and core business applications.
The only possible solution, is implementing only the bytecode execution itself (transcode Java bytecode into ASM.js - like pluging GCJ to LLVM to emscripten to odinmonkey, for example). Ant then re-use the opensourced classes from IcedTea and co. But then you're again running the original java with all the original bugs, only on a different platform. If a bug in the official libraries enable an attacker to steal encryption keys from other apps, this is still going to put your bank's e-banking applet at risk, no matter if said applet runs on an uncrashable Mozilla OdinMonkey VM or the official Oracle JVM.
And Google recently developed an efficient sandbox called NaCl, so why not follow them? They could even run Java inside NaCl to add another layer of security.
NaCl isn't really a sandbox. It's only a special way to package executable native code, with limitation of what said code can do. It's some security restrictions (NaCl applications can only run a subset of the whole API available to normal applications and aren't allowed to run some instructions), stacked on top of the pre-existing Google Sandboxes (each into its own process)
Even if you use a JVM running as a NaCl application, you've only partially solved the stability problems (JVM crashes less, and when it crashes, it doesn't take the whole browser with it). You haven't solved security (obscure stupid java classes leaks encryption keys or password due to bad design).
Also note that NaCl is completely against Mozilla's approach and will never get implemented. Mozilla simply doesn't want binary code, because it's limiting (NaCl only runs on x86 and ARM), and still a security problem (even if it's much better then ActiveX, you're still sending executable code from the internet into a browser).
Still PNaCl is probably where everything will be heading: this time it's not the actual binary which is shipped, but the previous step in the compilation process - the LLVM bytecode. Google can still compile it into NaC (and run better security checks at compile time). And mozilla can use it to compile it with emcripten into ASM.js. It's now much more portable (you could run it on MIPS for exemple), and much more secure (when compiling ASM.js, memory access are translated into read/writes to/from an array instead of random memory writes).
Hell, they could even run the complete browser inside NaCl, so Firefox would run on Chrome too :)
If you want, you can even use Firefox to run one of the virtual machines written in Javascript, boot a virtual Linux distribution and run Chrome on it.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Both our KVM and NAS at work use Java as their interface. In both cases the reason is the same: to support management from arbitrary clients running any OS. They don't want to require you to install a program just to manage them and they want to easily support Windows, Linux, Mac, and so on. However the interface needs to be highly interactive to be useful. In the case of the KVM it actually has to stream video that it compresses from various sources. So Java it is.
These are some outdated devices from yesteryear, they are both current products on sale right now. The KVM is a Minicom Smart 216IP Switch, and NAS is a Dell Equallogic. While these may not be the world's highest end products, they are real enterprise products and they are both on sale right now.
While I don't like Java, particularly its insecurity, trying to pretend like it's some relic of a bygone era that we no longer need is silly. If you do systems administration, Java is something that you are going to run into quite a bit. I don't have the choice of "just don't use it" or something like that.
[...] but critics say it will cause untold headaches for developers, admins and less-technical end-users.
The few dozen of the "developers, admins" who still insist on using applet should grow up and stop torturing the "less-technical end-users."
My company would have been impacted (search in documentation is a Java applet, because documentation should be also usable locally, without a web server) if not for never managing to approve FireFox or Chrome because of their version carousel. Ironically, Opera got approved shortly before they have also picked up the rolling releases games.
All hope abandon ye who enter here.
I uninstalled Java because of the constant security issues almost a year ago. I haven't noticed any issues with the web sites I need to use since and have been overall happier. I realize that this won't work for everyone, but this change in FF is a good opportunity to see what the impact would be if you did.
It seems like the main justification to require that the end users allow Java in their browers it to support e-signatures using e-certificates.
This is a real problem and affects a HUGE amount of end users in Europe and South-America where governments are performing massive deployments of electronic ID Cards among the population (8 million in Austria, 3 million in Portugal, 35 million in Spain, Finland, Belgium, etc... already deployed, 65 million in Germany, 150 million in Brazil, Peru, Chile... planned). In other words, there are already millions of e-certificates in the hands of end users, and the number will keep on growing. End users can use these e-ID cards for e-authentication and e-signature purposes. Moreover, their governments, bank, insurance, telco and utilities companies require these users to use their e-certificates for a lot of transactions. Maybe, this is not obvious in the US or for US-based companies, where the use of e-certificates is not extended among the population, but it is happening anyway.
Right now, Java is the only "serious" option to support e-signatures using e-certificates though different Operating Systems and Browsers (only in theory, regrettably in practice is filled with security holes and has been suffering a lot of recent updates). Javascript is not a "serious" option. Governments and big companies are not going to use it to provide cross browser support for electronic certificates. Period. And Governments and big companies are the ones to convince here, as they are the ones with the leverage to require end users to install and use Java.
Sure, Oracle should fix its Java applet. However, the problem is not going away just because Mozilla/Microsoft/Google/Apple are angry about it and react disabling java in their respective browsers. Firefox/IE/Chrome/Safari should provide a "serious" alternative to Java, such as backing-up and implementing ASAP things like the W3C Web Cryptography API (see http://www.w3.org/TR/WebCryptoAPI/ ). Getting angry and disabling Java for the end user is not a solution. It's only going to frustrate end users with your browser. Governments and big companies are not going to change their ways. The only two possible solutions are: browsers work together to provide a real Java alternative to Governments, Big companies and end users or (2) browsers sit down and pray that Oracle get its shit together once and for all. Until then, Governments and big companies are going to keep on using Java and requiring their citizens and customers to use Java. And this problem is not going to go away.
... around here, the end user is the problem.
They are just fools who don't know what is best for them like we do.
Javascript is killing everything. Now it's fairly standard to have 3 or 4 or 5 levels of Javascript with dozens of objects. It's choking everything to death. Time to fight back
Yes, don't install silently a program to directly access someone else's computer, ESPECIALLY to read off jeys off a security token. Instead get them to install an application with source so they can compile a version they KNOW will only access their security fob for the purposes of the access required to the place that needs the access only, and get them to install that.
Now do this with JavaScript (at least when it comes from a different host than the page being viewed).
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
but critics say it will cause untold headaches for developers, admins and less-technical end-users.
Is this less or more headaches than the constant barrage of malware leveraging Java? Aside from exploits, the fake security scan authors seem to love using Java as well.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
I manage a local computer repair shop, until recently we installed Firefox by default with operating system reinstall 's. Now we have moved to recommending chrome mainly be many of our user are having issues with sites like pogo working on Firefox. I think this is a nail in a fast closing coffin for Mozilla, users want things to just work and Firefox no longer does. But chrome never seems to fail.
there are 10 types of people in this world, those who read binary and those who don't. which are you!
From day one Java & client side javascript should have been blocked by default with the user shown a placeholder if they want to run something. All this crap does is enable user tracking and exploits. Bag o' shite.
99% of the time javascrip is used because "developer" idiots can't just use a simple hyperlink in their web pages. Retards the lot of them.
The last security change to FF broke PDF's. Now Java.
I'm not looking forward to this.
If the people objecting to the new default knew the circumstances around the decision, they wouldn't be objecting to it.
Join the Slashcott! Feb 10 thru Feb 17!
Who the fuck uses applets anymore?
I'm a good cook. I'm a fantastic eater. - Steven Brust
8 out of 10 browser exploits in the wild get in through Java.
83.7% of statistics are invented.
On most of my systems, Java has been uninstalled. One system has it installed, but the browsers are not allowed to use it.
I haven't found a site that requires Java that I need yet. If I find one, I'll probably look for an alternative, or temporarily enable Java.
You can lose something that is loose, so tighten the loose item so you don't lose it.
Mismodded, ignore
Mentioning JavaScript and "ASM" (presumably not standing for assembly)
Indeed, ASM.js in not assembly.
It's a subset of javascript, more precisely, its that specific part of Javascript which maps nicely to concept which are easy to compile into machine code.
For example it doesn't relly on dynamic typing (Instead it uses type-tagging to clearly mark which variables contain which data type).
It doesn't use Javascript managed memory handling and garbage collector, it simply use a huge array as a stand-in for virtual RAM,
Also only use a specific subset of Javascript API which can be mapped to regular C/C++ API (use WebGL as a stand-in for OpenGL ES)
etc.
Then the latest Firefox javascript machine (OdinMonkey, the succesor of SpiderMonkey, TracerMonkey and JaeggerMonkey) is able to use all this hints and compile this thing as native code and then execute that at nearly native speed.
Now you might see why it's called ASM.js: it's a small wink to the fact that, from a C-compiler's point of view, it's a concept not too distant from assembler. It's still the language that the compiler spits out that will end up being transcoded into machine code (except that ASM.js isn't specific to any CPU architecture, that the machine code gets transcoded inside the browser, and the ASM.js syntax doesn't look like classical assembler mneumonic, nor like modern IR bytecode).
As it is still JavaScript, it still can be used in any other browser. If the browser support type tracing and JITing, it can still benefit some of the advantages of ASM.js (like its type tagging) and run ASM.js code not to slow.
The intended purpose is not writing apps directly into ASM.js (That would be cumbersome given the weird JS dialect), but use it as an intermediate into which actual applications (for exemple a game written in C/C++) are compiled before shipping to browsers, while both leveraging available optimisation (JIT, typetracing, or even pure machinecode compilation) and staying ECMAscript compliant.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
The Internet is a war zone. Not running some sort of script-blocker is like flying through an asteroid belt with your shield down.
Microsoft lulled users into poor security practices with "just works". Java is just too vulnerable to not have some kind of click-to-play or white-list.
Competition Good, Monopoly Bad.
Regardless of changing the cache from 350 to 1mb, it still trashes my hard drive, slows down, freezes and crashes. On windows 8 it's a little bit more stable than windows 7 but still issues. I switched over to chrome and no software issues whats so ever. Only thing I hate about chrome is the font.
Effectively this site is blocked if you are using FireFox. and that's why I keep IE and Safari and Chrome and ....
great plan....
I predict a plugin to whitelist sites before long....
or, to outright "fix" this problem....
I could write something witty for my sig, but instead wrote this...
If it's a problem for some users that it's not on per default, why not just add a plugin with a whitelist? It can't be that hard.
Noscript et al already does the reverse.
Clicking on the "Do Not Enter" icon for the Java plugin pops up a "Firefox has prevented the unsafe plugin "Java(TM) .. from running.." There's a link provided called "What's the risk" (https://addons.mozilla.org/en-US/firefox/blocked/p463) that 404's.
So they won't even let you know why it's unsafe, you just have to take their word for it.
Mission: To provide products that consume time and energy as entertainingly as permitted by the laws of thermodynamics.
PDF.js is unbelievably bad at font rendering and rendering in general. (Compared to Okular and whatever backend it uses.)
Hopefully Mozilla have some metrics for the number of users who switched to FF (where PDF.js was added as default) and immediately switched to the system PDF viewer. What a collosal waste of JS code.
HAND.
Firefox 24 fixed 7 critical security vulnerabilities, on top of the 4 fixed 6 weeks earlier in Firefox 23, and 4 more fixed 6 weeks before that in Firefox 22, and 3 more 6 weeks earlier still in Firefox 21, and so on. Within the past year there have been Firefox releases that fixed as many as 12 critical vulnerabilities.
By your argument, since I have no reason to believe the latest Firefox will have no known vulnerabilities for the entire time that release is current, we should probably just declare Firefox to be dangerous by default and have it prompt users before opening every page from a site they didn't already OK explicitly.
In fact, Microsoft should just flag Firefox as known insecure software and push out a Windows update that warns users about this every time they try to run it, even if Firefox itself is already doing that. And then Microsoft should push out another update a few weeks later that fully removes Firefox from everyone's system for their own safety, and they should kill support completely for anyone who doesn't install that update within the next few months.
Isn't it lucky that Microsoft have an alternative technology that they'd prefer us all to use instead, which they can generously offer to us when they shut down what we've chosen to use previously?
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
By using a Firefox plug-in called NoScript (there are others). Pretty interesting being able to view and manually kick adware to the curb. By globally revoking permission to scripts from domains like atdt, it's possible to greatly clean up your browser experience. And you always have a half-decent idea what's going on. I think this is a great idea on Mozilla's part, although it would certainly be appropriate to make this an opt-in feature.
...is the one not installed. Otherwise, don't make it a pain the ass to run when one is presented with, say...an enterprise app like ADP which requires it. This is sure to push Admins to move away from Firefox and give IE and Chrome more users.
Bearded Dragon
html5 can replace flash, check this link on how firefox can replace flash
still not perfect, but getting better. it will replace flash, just like PDF.js can replace PDF plugins in browsers
For those who don't know, PDF.js is the "built in PDF viewer" in recent Firefox builds. It's not an Adobe-provided thing. It's a new Firefox feature to convert PDF to HTML5 using Javascript using a mozilla foundation "community driven" javascript project.
I gleefully support the goals of the project.
And yet I regret to report that from my work-related test cases, PDF.js is badly broken with long technical documents with diagrams. :-(
For those who don't know, you can disable it!
1. Type about:config in the address bar and press Enter.
2. Press the big button to bypass the warning.
3. In the Filter bar, paste pdfjs.disabled
4. In the search results, double-click pdfjs.disabled to set its value to true
5. Restart Firefox for the changes to take effect.
Result on Firefox 24 on Xubuntu 12.04 LTS: "This browser is currently unsupported. Please download Firefox 22 for an optimal experience." This recommendation to use an older browser contradicts Epic Citadel HTML5 FAQ, which "recommend[s] the latest Firefox public release".
USB Token as an image device.... WTF? How does one expose that using Javascript?
I believe it's called "getUserMedia" and treating the signature tablet as a camera.
An article published by the U.S. Small Business Administration claims that people are doing signatures on touch screens. Let me guess how it'd be exposed to JavaScript: A digitizer feeds a stream of (x, y) drag events to the script on the page. The page renders these drag events to a canvas. This would work with a standard Wacom tablet on a PC or with the touch screen in a smartphone or tablet.
no need for that, you can go to the firefox preferences -> applications, search for pdf and choose from the default "preview in firefox" to "open with plugin" or "open to external application"
Higuita
In any enterprise implementation this will prevent any system architect or admin from permitting the installation of Firefox just from a cost standpoint. They just don't have time for the flood of support calls they'll get.
Admin and dev tools don't count- if you use them, you're grown up enough to deal with a blocked plugin. And considering. That every Java update breaks all the tools anyways, I doubt that anyone is actually noticing this.
Listen, the web evolves and evolves according to standards.
And because Android allows multiple competing web browsers to compete for standards support, it picks up support for these standards sooner than iPhone. Firefox for Android appears to support WebGL as of version 24 according to this table. Safari and Safari wrappers, on the other hand, support standards only once Apple makes the business decision to no longer deliberately exclude them. For example, iOS supports WebGL, but only in iAds approved by Apple. The limits of Safari and Safari wrappers appear calculated to encourage application developers to buy an additional computer and a developer license and develop a native application instead of not buying a Mac, not buying a developer license, and developing a web application instead.
All proprietary lock-ins will naturally be kicked out eventually.
The universe will die of heat death "eventually". To exaggerate slightly less, anyone can make an iPhone "eventually" once copyright in iOS expires. To exaggerate even less, if I eat "eventually", I will die of starvation first. People making applications for the phones that exist now need to eat now. I was referring to the foreseeable future, not 95 years from now.