Slashdot Mirror
Firefox To Block Non-Essential Flash Content In August 2016, Require Click-To-Activate In 2017 (mozilla.org)
Mozilla has announced that it plans to discontinue support for Flash in Firefox. Starting next month, Firefox will block Flash content "that is not essential to the user experience." Also, starting sometime in 2017, the browser will require click-to-activate approval from users before a website activates the Flash plugin for any content. In a blogpost, the company writes:Mozilla and the Web as a whole have been taking steps to reduce the need for Flash content in everyday browsing. Over the past few years, Firefox has implemented Web APIs to replace functionality that was formerly provided only by plugins. This includes audio/video playback and streaming capabilities, clipboard integration, fast 2D and 3D graphics, WebSocket networking, and microphone/camera access. As websites have switched from Flash to other web technologies, the plugin crash rate in Firefox has dropped significantly. [...] We continue to work closely with Adobe to deliver the best possible Flash experience for our users.
Does this mean that there weren't people running flashblock?
Too much trying to think for me, without being able to turn the behavior off. Firefox and PKI is an absolute abortion. Now they are going to make people's lives more difficult vis a vis Flash because of some religious reason.
Way to grow that market share!!
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Chrome has done the first part of this for over a year...
Mozilla should have made 'Click to Activate' the default behavior years ago. I've been running with that option toggled on for a few years, and it's never been an issue. If it's running Flash, I don't fucking want it turning on all by itself.
The Amarri pray for god, the Caldari pray for profit. the Gallente pray for peace, but the Minmatar pray their ships hol
Firefox is dead. Political correctness in Mozilla killed it. Too many wanking hipsters write software these days instead of riding their bicycles.
I've been pushing for this for quite a while. Especially for us Linux/Firefox users, the EOL of Flash is coming up fast and we need to be ready for it.
Click to run should be the standard for all browsers and multimedia plugins. It's just safer that way. (Though advertisers will hate it...)
I don't use Chrome either.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
You do know about:config still exists, right? Because it sounds like you do not.
What is it with manager-like people and this fucking word? Just stop it, already.
And what browser are you going to end up on? Because every sane modern browser is moving to 'Click to Activate' for Flash at the very least, and many other plug-ins as well.
The Amarri pray for god, the Caldari pray for profit. the Gallente pray for peace, but the Minmatar pray their ships hol
What I really wish along with that would be a built in flash movie preloader.
OK, you enable "accept any certificate" in about:config, right now. I'll be waiting...while Firefox denies connection to old devices, with not a thing to be done about it.
Knowing what you're talking about is a prerequisite for being snide.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Now they are going to make people's lives more difficult vis a vis Flash because of some religious reason.
...
Right, "religious reason." Surely it has nothing to do with the fact that Flash has probably been the biggest security blackhole of all time.
Pale Moon with Noscript. When they decide to start thinking for me, i'll look for another browser...
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
"We continue to work closely with Adobe to deliver the best possible Flash experience for our users." Problem found.
Then soon you won't have a browser to use.
The Amarri pray for god, the Caldari pray for profit. the Gallente pray for peace, but the Minmatar pray their ships hol
No it isn't. Windows failure to segment "Administrator" from "General Purpose User" for most of the last 25 years is. Flash is way down on the list. And besides which, this is a shitty way to enforce security. Click through access does nothing for security whatsoever except make people feel good. The user gets used to clicking through without thinking and you have the same vulnerability anyway.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Never even noticed, are there any essentials sites that use flash?
I'm guessing this doesn't mean they told Adobe to fuck off. Although it should.
Imagine a car that doesn't drive to Walmart... because it disagrees with Walmart policies. Browser is a vehicle, it has no value on its own. And if that vehicle will start telling me where I should and shouldn't go, I will just ditch it.
"Click to activate" is fine. Making user aware that flash may not be safe is fine. But "discontinue support for Flash in Firefox" is not OK, regardless of what I think about Flash as a technology. While it remains on many sites, it must be supported for browser to be of any use.
No it isn't. Windows failure to segment "Administrator" from "General Purpose User" for most of the last 25 years is. Flash is way down on the list. And besides which, this is a shitty way to enforce security. Click through access does nothing for security whatsoever except make people feel good. The user gets used to clicking through without thinking and you have the same vulnerability anyway.
I won't disagree with you on the Windows part, but click-to-access does have some purpose. At least then the browser will only use Flash for something the user explicitly requests like a game, rather than it automatically running in the background for God-knows-what.
I already have some reasonable security extensions active. :-)
OK, that is actually a ridiculous statement. The security issues being exploited in Flash are via advertisements. Some are also invisible content, just like with some of the Java exploits. The user isn't going to click to run ADVERTISEMENTS. It is almost never the actual content that is delivering the malware. Users will click through to the content - that much is correct. But they are not going to click to enable ads. Users can do dumb things, but that isn't likely to be one of them.
Pale Moon with Noscript. When they decide to start thinking for me, i'll look for another browser...
Explain how the browser is "thinking for you" by discontinuing support for something. Firefox is free software. Fork it and support Flash yourself if you care so much. Mozilla doesn't want to waste the resources on a plugin that causes problems for millions of people.
An annoying new trend: sites that pop up a window when you click to close a tab. The most innocuous ask if you really want to close the site. (I just said I did, didn't I?) Others lock you in an unclosable (short of a three-finger salute) page with the scam "your computer is infected, you must call xxx-xxx-xxx to resolve the problem" which I'm sure will phish for a CC number to "fix your problem." Anything that pops up after you choose to close and demands a response from you is likely malware. (Who knows what clicking to leave a page may actually do?)
The x in the browser tab should immediately close the window. w/o allowing any control whatsoever by the site being closed.
IE just won't play flash unless you have the latest, as far as I can tell.
Edge will, well, no matter what it does you're still doing it on Edge.
Lynx has successfully blocked Flash since 1992 - everyone else is that far behind.
Socialism: a lie told by totalitarians and believed by fools.
I agree with "Click2Run should be standard", but that's not enough.
Mozilla writes:
Well Javascript is the single biggest factor which "often introduces stability, performance, and security issues for browsers" . And to use Mozilla's words, this is not a trade-off which users should have to accept either. Why Mozilla does nothing to control and limit the impact of the primary enemy and instead leaves it to add-ons is incomprehensible.
At the very least, the Javascript engine should be frozen on out-of-focus tabs unless specifically enabled to run continuously on that tab. Without that, Firefox with tabs will continue to run like molasses because web designers are universally myopic and unwilling to limit their abuse of users' CPU.
Why is this not universally known? Who is afraid of adobe?
WTF is this "essential flash content" that won't be blocked by default.
The fact that you drank the kool-aid and think Flash is the problem is why you aren't seeing what's wrong with a browser discontinuing support for something that is still a presence on the Web.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
The last two flash installers have just hung forever on my system, so I'm not even watching anything that requires it right now. Maybe later, if Adobe figures out how to lay some files down on a Windows box. I'm not holding my breath. They become less competent with every passing hour.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Good. Maybe next people will stop requiring javascript too. Too many sites require javascript to be enabled just to click on a damn link.
The fact you drank the kool-aid and think Flash is anything other than a problem seems to be the problem here.
Well by the very nature of Pale Moon (or any program) having any configurable preference set to any default value, I guess it already is 'thinking for you'.
Closing a huge security hole is a religious reason to you? Has it occurred to you that you might be a crank? Maybe an arrogant douche-bag?
I think I see the problem here. HBI, for whatever delusional reason, believes that Flash is still useful. I think he was projecting when he talked about killing Flash for religious reasons.
Exactly what is ESSENTIAL FLASH CONTENT? Wouldn't that be an oxymoron, like decorative manure?
The fact that you drank the kool-aid and think Flash is the problem is why you aren't seeing what's wrong with a browser discontinuing support for something that is still a presence on the Web.
Are you denying that Flash has been the vector for numerous security exploits?
firefox crashes less often.... half as often compared to 16-18 months ago... but "no!" it's not because they're actually writing better code and fixing bugs... it's because youtube is using flash less often. the firefox code itself is actually worse now.
Yes, the 'onClose' event should never have been accepted into the HTML standards. No browser should recognize it, regardless of how benign the associated code appears to be.
I also still want some browser to have a checkbox for "allow only server-local content" with a whitelist of tolerated exceptions (two lists actually, one of fully trusted servers and one for universally trusted remote sources). That alone would resolve over 90% of the reason to use a hosts file and adblocker.
Pale Moon does think for you. They have a chip on their shoulders about E10S, so they're refusing to adopt it. They don't run the automated test suite before shipping the browser. They even decided to break compatibility with regular Firefox addons... all for you!
Seriously, for someone who's talking about people drinking kool-aid, you've bought into the PM hype just like many others. If you don't care about security, that's fine. But don't try to hide behind others "making decisions for you" when you clearly don't care about that until it's Mozilla "making the decision".
It's not even just when you click to close a tab, which would be obnoxious enough. Lots of pages announce their abandonment issues as soon as you move the mouse pointer to the tabs to toggle between tabs. This often leads me to close their tab, instead of leaving it to read later.
I already have it set to click to play Flash. Fuck Flash
I don't see HBI saying anything of the sort. They're saying that browsers discontinuing support and thus making content on the Web inaccessible to their users is a bad thing.
And they're absolutely right.
The trend for modern browsers to drop support for any standard more than five minutes old, and in doing so cut off huge amounts of valuable content developed over multiple decades, is exactly the opposite of what the Web is supposed to be about.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
No it isn't. Windows failure to segment "Administrator" from "General Purpose User" for most of the last 25 years is.
"Windows killed my Pappy!"
MS fixed that shit almost 10 years ago. FFS, enough already.
Click through access does nothing for security whatsoever except make people feel good. The user gets used to clicking through without thinking and you have the same vulnerability anyway.
People are unlikely to "click through" ads, which is 100% the point here. YouTube is already ready for a post-Flash world. It's the advertising industry that needs a kick in the crotch (not that that will every be untrue, but here there's even more reason).
Socialism: a lie told by totalitarians and believed by fools.
I can mind my own security just fine. And a test suite offers me what feature? More security, you say? More security than just not allowing any untrusted script to run?
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
For that matter, what do you mean "breaking compatibility with any Firefox addon"? Haven't found one yet (that I would want) that I haven't been able to run in Pale Moon. Whatever the "breakage", it must not be very significant.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Indeed. Firefox has had the ability to "Ask to activate" a plugin for a long time. I have had Flash set to this for years now. They could have made this the default for Flash, when either Firefox or Flash is first installed.
Gamingmuseum.com: Give your 3D accelerator a rest.
To this day, if you want to watch National Weather Service radar images on a loop (just in case you would like to see the tornado intent on killing you, and you're locale isn't worthy of live coverage in the nearest media market), you still have to use Flash.
You do know about:config still exists, right?
Mozilla continues to remove manually configurable options from the browser. You can go in about:config and these deprecated preferences to your heart's content, it won't change how Firefox behaves. Firefox used to be the most user friendly browser available, not so much anymore, control keeps being taken away.
Seriously I have been using flashblack on Chrome for years now and run adblock plus on IE for a year two as well.
Flash is truly terrible and a risk.
http://saveie6.com/
Whatever the "breakage", it must not be very significant.
So, basically, it's okay when they do it.
The trend for modern browsers to drop support for any standard more than five minutes old, and in doing so cut off huge amounts of valuable content developed over multiple decades, is exactly the opposite of what the Web is supposed to be about.
Right on. When the WWW was conceived in Tim Berners-Lee's head, I'm sure the very first thing he salivated over was all of people whose bank accounts were jacked via Flash-transmitted malware.
Some of us liked the internet before the Crisis of Infinite Septembers.
The rest of you whippersnappers can get off my lawn and take your damn billboards with you.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
I don't know about that there will always be wget and emacs
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
Flash isn't any sort of standard except in the limited sense that it is used on a lot of web sites. It's a proprietary, closed source plugin and application; the precise opposite of a standard. This so-called "standard" exists solely at the whim of one company, Adobe, and they can do whatever they wish with it without regard to its users or anyone else. For instance, they dropped Linux support a few years ago without any input from the community.
In my opinion, Flash is an abomination that can't die soon enough. The same goes for Microsoft's Silverlight.
(Score: -1, Stupid)
> They even decided to break compatibility
> with regular Firefox addons... all for you!
Correction... Mozilla broke compatibility with regular Firefox addons, i.e. XUL in order to switch to the same model used by Chrome https://blog.mozilla.org/addon... If I wanted effing Chrome, I'd use effing Chrome already. Firefox's problem is that it's a Chrome wannabee.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
I use it for work, just like Java. And by that I mean I have customers that use these plugins for essential tasks and without a browser to run the plugins, these customers are left out on their ass. For instance, I'm currently logged in to a customer's system through a browser based Java RDP client. They do not have other options. They don't have the resources to purchase other options. They don't have the IT staff to implement other options. What they have works. In order to make it continue working, I need to have a browser that can use the plugin or create a VM with the supported browser and plugin installed and auto-update disabled on the browser. I have other customers that use Flash similarly.
And, of course, this doesn't save us from anything. HTML5 is just as much a vector as Flash or Java.
Wow. I had no idea people who have used a computer for more than a few months still had Flash installed on their computer at all.
Of course someone *else* should be paying for your clients. Like Mozilla, because.... reasons?
"Windows killed my Pappy!"
MS fixed that shit almost 10 years ago. FFS, enough already.
Not only that but legacy shit broke in the process and the HBIs of the world relying on the old presumptions were left in the cold for "religious reasons".
Flash isn't any sort of standard except in the limited sense that it is used on a lot of web sites.
And, until recently, more widely available and consistent across platforms than just about any official web standards other than HTML 4, CSS 2.1 and HTTP. In other words, Flash was a standard in the only way that really matters: it worked the same almost everywhere. Which, by the way, is far more than can be said for many of the new shiny toys that are supposed to replace it.
It's a proprietary, closed source plugin and application; the precise opposite of a standard.
Well, for one thing, that isn't anything like the precise opposite of a standard.
As for proprietary, closed source, and running as a separate process, have you looked at how HTML5 video works on iOS lately? Or the uses of EME, which is now a W3C standard? Or the number of different encodings you need to create to do something as simple as playing a video across most browsers in 2016, compared to the exactly one you needed with any number of Flash video players before?
This so-called "standard" exists solely at the whim of one company, Adobe, and they can do whatever they wish with it without regard to its users or anyone else.
How is that fundamentally different to all the major browsers pushing substandard HTML5 features instead because Google decides Chrome will do so and everyone else apparently feels the need to emulate them? Meet the new boss, same as the old boss (except that now you can't even see what the old boss was like any more because all the records are inaccessible).
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Flash hasn't been a favoured form of malware transmission for years. There are much easier targets these days, with click-to-play protection for plug-ins now being the norm in all major browsers.
Meanwhile, millions and millions of people still benefit from Flash apps every day, and all of those people are going to lose out.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Not to mention Flash is NOT the danger...its JavaScript.
I can surf all day long with Flash on a JavaScript disabled browser without a care in the world because even the flash exploits are using JavaScript but if you surf without Flash but allowing JavaScript without Adblock or even better NoScript then guess what? Its gonna get pwned.
So until we deal with the stinking rotting elephant in the room that is JavaScript and kill it deader than the blink tag? Then all this shit is for naught, its just a waste of time. If FF wanted to protect their users it would come with adblocking and JavaScript disabled by default, this? This is security theater, nothing more.
ACs don't waste your time replying, your posts are never seen by me.
That's one of the most stupid reasonings ever. There's other quite free ways to RDP. You need to get your head out of your ass and take the 10 minutes to set them up.
FUCK FLASH
I am because those "flash Exploits" are damned near all executing JavaScript which is the REAL threat here, you get rid of that stinking pile of offal that is JavaScript? I seriously doubt flash or any other plugin would be a problem.
Oh and lets not kid ourselves about Flash being dropped, mmkay? It didn't have shit to do with security it had to do with Apple not wanting games running outside the iStore and because all the content creators kiss the iAss for fear of not getting a shot at the iMoney they went along with it.
And what did we get to replace it, A proprietary as fuck DRM filled mess that is HTML V5 which is practically a love letter to Apple and MSFT...yeah because THAT is progress. say what you want about Adobe but 1.- they let anyone bundle flash into any OS, be it FOSS or proprietary, 2.- They even allowed FOSS alternatives like gnash to be developed...you think MPEG-LA is gonna tolerate that shit with H.265?
Lets face it the whole thing is a giant clusterfuck right now, with the corps racing to see who can make HTML V5 the most nasty and content creators cheering all the way because God forbid they offend the great and mighty Apple. Mark my words in 5 years you'll be BEGGING for something like Flash because all we will have is paywalled DRM content with unskippable malware ridden ads and none of it will play unless you are on the latest corporate approved OS.
ACs don't waste your time replying, your posts are never seen by me.
work with corporate America to get flash out of vital web stites.
I do all the tech help for a bunch of older relatives and over the years moved them all to Linux and Firefox, which was wonderfull and eliminated nearly all calls for help (except for printing witch still completely sucks on Linux). Unfortunately, I recently got a bunch of calls for help because several banks and even Verizon had recently ADDED flash content to the web pages these relatives needed, and they needed their Flash players updated and enabled.
I simply cannot comprehend why corporate America, particularly BANKS are actually ADDING flash to pages (in 2016!!!) that did not previously use it.
Removing flash support, while big businesses that are critical to users are ADDING flash, is a recipe for disaster every bit as bad as the disasters supposedly solved by jerking Flash away from users.
Since when did Firefox go from being the browser geared to users (with lots of options that left such decisions to users) to some slightly jack-booted scheme where user needs are ignored and all the preferences are forced by Mozilla? Where do you go for a good browser that puts the USERS in control??? Microsoft? Nope. Apple? Nope. Chrome? Nope. The answer used to be Mozilla Firefox.
Companies like Mozilla and Google need to be doing outreach to businesses to help them learn to do what they used to do in Flash with HTML5 instead, and THEN make things like Flash optional. As long as big businesses people need keep using and deploying Flash, it's a total-JERK move to make Flash inaccessible.
Over the past few years, Firefox has implemented Web APIs to replace functionality that was formerly provided only by plugins.
But will they play Badger Badger Badger?
Until that can be emulated on the "replacement functionality", removing Flash is a fundamental impact on the Internet Experience. ;-)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I'm not my customer's IT.
I have used IE since the early 2000's. Why should I change? It has always worked.
I like how they removed the ability to turn off image loading.
And how they removed 'ask me about cookies on a site-by-site basis'.
And how right click->properties wasn't useful enough for one dev so he just took it out of the browser entirely.
Mozilla doesn't want to waste the resources on a plugin that causes problems for millions of people.
How does your brain work ?
1. It's upto Adobe to keep updating and working on the Flash plugin, nothing to do with Mozilla
2. As for "wasting resources".. what takes more resources?
A: Changing the browser to detect and show "essential" flash content ( yeah right, I bet that won't be foolproof)
B: Leaving it the fuck alone.
If Mozilla devs really want to create a better browsing experience, then disable fucking autoplaying videos everywhere.
If the video isn't the main content of the page then it has fuck all reason to autoplay.
AKA de facto standard.
Proprietary and standard are orthogonal.
Porn is essential
Go well
Oh, I see... so you're going to ignore what Pale Moon has already done in favor of pointing the finger at Mozilla for planning to do the same thing years later? Let me guess: you also prefer XUL and the current "let addons do whatever they please" system too, don't you?
Seriously, it's like all you Pale Moon users can do is deflect arguments in a vain attempt to paint Mozilla in an ill light.
It clearly sounds like you have already solved this problem for yourself and clients you have to deal with. Sure it is annoying, but who exactly pays for Firefox? I know I have never spent actual money on Firefox (I probably should send them something...) so they really are free to do as they please.
Seriously though, just setup your VM with specific browser versions, yada yada. Sure it's a pain and not something you enjoy but then you don't really send money to Firefox for a browser, now do you?
it is not rocket appliances.
I was arguing with a graphic artist who I basically called a complete tool. He keeps making flash dominated sites for his clients. They look good but I was strongly arguing that he was screwing his clients as fewer and fewer people have flash on their internet thing, and that number will only keep falling. More importantly is that richer people with newer devices are even less likely to have it.
He kept quoting 2001 era stats about it having 98% penetration.
He is the perfect example of someone seeing the world as nails because all they have is a hammer.
It's not religious, it's a petty personal vendetta of Steve Jobs' which is still fucking people over years after he's dead.
Remind me never to piss on his grave.
(On second thought, screw it, I'll take the risk.)
I usually assume it is all a conspiracy to prevent me from accessing government precipitation analysis and weather radar data.
If you only use a handful of addons, and they're all well known, and you're using the same ones for years, then it might not be a problem for addons to run with the same privileges as other user software.
It is not automatically a given that application plugins, whatever the name, have to be "apps" that are fun little throw-away nonsense things that you would casually install and need to be protected from. There is room in the world for people who only want computer tools, or want tools separate from toys.
Pale Moon with Noscript. When they decide to start thinking for me, i'll look for another browser...
You are severely overdue to find a new browser then. Remember when Pale Moon wouldn't let you visit sites with weak certificates? They eventually backpedaled on that, but if you weren't lying, then you wouldn't be using Pale Moon any more after that.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
The fact that you drank the kool-aid and think Flash is the problem is why you aren't seeing what's wrong with a browser discontinuing support for something that is still a presence on the Web.
The fact that you think a browser is discontinuing support for something for which they are not discontinuing support
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
For instance, I'm currently logged in to a customer's system through a browser based Java RDP client. They do not have other options. They don't have the resources to purchase other options.
There are a whole bunch of other options, many of which are free, including Microsoft's own downloadable RDP client. If you want people to buy your story, you're going to have to expand on that.
What they have works. In order to make it continue working, I need to have a browser that can use the plugin or create a VM with the supported browser and plugin installed and auto-update disabled on the browser.
Oh, so the way they are doing it now is the only way to do it? I think they should hire someone else.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Click through access does nothing for security whatsoever except make people feel good. The user gets used to clicking through without thinking and you have the same vulnerability anyway.
Well, this is the dumbest thing you've said in this thread. What about the hidden flash apps the user never even sees? What about flash banner ads that the user is almost certainly not going to click to see what they are?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Haha, you said PKI.
Have hilarious memories here of ten years of continuous failure over PKI.
Thanks.
The chrome on my car is not so flashy anymore either after a year.
Flash is, and has been, a major, if not the biggest vector of attack in browsers since its inception. It has since its birth in the pits of hell been an ill-bred monstrosity, a cancer. It should have been euthanised long ago.
Companies that still use it for their ****ing "presence on the web" deserve to die the horrordeath of Doom.
These are not pesky little factoids you should leave out when you give an answer like that.
AMEN!
I've been to one where ANY mouse movement caused this obnoxious behavior. I closed that site immediately.