Slashdot Mirror
Firefox To Block Non-Essential Flash Content In August 2016, Require Click-To-Activate In 2017 (mozilla.org)
Mozilla has announced that it plans to discontinue support for Flash in Firefox. Starting next month, Firefox will block Flash content "that is not essential to the user experience." Also, starting sometime in 2017, the browser will require click-to-activate approval from users before a website activates the Flash plugin for any content. In a blogpost, the company writes:Mozilla and the Web as a whole have been taking steps to reduce the need for Flash content in everyday browsing. Over the past few years, Firefox has implemented Web APIs to replace functionality that was formerly provided only by plugins. This includes audio/video playback and streaming capabilities, clipboard integration, fast 2D and 3D graphics, WebSocket networking, and microphone/camera access. As websites have switched from Flash to other web technologies, the plugin crash rate in Firefox has dropped significantly. [...] We continue to work closely with Adobe to deliver the best possible Flash experience for our users.
Too much trying to think for me, without being able to turn the behavior off. Firefox and PKI is an absolute abortion. Now they are going to make people's lives more difficult vis a vis Flash because of some religious reason.
Way to grow that market share!!
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Chrome has done the first part of this for over a year...
Mozilla should have made 'Click to Activate' the default behavior years ago. I've been running with that option toggled on for a few years, and it's never been an issue. If it's running Flash, I don't fucking want it turning on all by itself.
The Amarri pray for god, the Caldari pray for profit. the Gallente pray for peace, but the Minmatar pray their ships hol
Firefox is dead. Political correctness in Mozilla killed it. Too many wanking hipsters write software these days instead of riding their bicycles.
I've been pushing for this for quite a while. Especially for us Linux/Firefox users, the EOL of Flash is coming up fast and we need to be ready for it.
Click to run should be the standard for all browsers and multimedia plugins. It's just safer that way. (Though advertisers will hate it...)
I don't use Chrome either.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
You do know about:config still exists, right? Because it sounds like you do not.
And what browser are you going to end up on? Because every sane modern browser is moving to 'Click to Activate' for Flash at the very least, and many other plug-ins as well.
The Amarri pray for god, the Caldari pray for profit. the Gallente pray for peace, but the Minmatar pray their ships hol
OK, you enable "accept any certificate" in about:config, right now. I'll be waiting...while Firefox denies connection to old devices, with not a thing to be done about it.
Knowing what you're talking about is a prerequisite for being snide.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Now they are going to make people's lives more difficult vis a vis Flash because of some religious reason.
...
Right, "religious reason." Surely it has nothing to do with the fact that Flash has probably been the biggest security blackhole of all time.
Pale Moon with Noscript. When they decide to start thinking for me, i'll look for another browser...
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
"We continue to work closely with Adobe to deliver the best possible Flash experience for our users." Problem found.
Believe it or not, there's a lot of people who just run Firefox or Chrome fresh from the install without any tinkering or extensions. There's a reason why ads are still the biggest vector for malware.
Then soon you won't have a browser to use.
The Amarri pray for god, the Caldari pray for profit. the Gallente pray for peace, but the Minmatar pray their ships hol
No it isn't. Windows failure to segment "Administrator" from "General Purpose User" for most of the last 25 years is. Flash is way down on the list. And besides which, this is a shitty way to enforce security. Click through access does nothing for security whatsoever except make people feel good. The user gets used to clicking through without thinking and you have the same vulnerability anyway.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Never even noticed, are there any essentials sites that use flash?
No it isn't. Windows failure to segment "Administrator" from "General Purpose User" for most of the last 25 years is. Flash is way down on the list. And besides which, this is a shitty way to enforce security. Click through access does nothing for security whatsoever except make people feel good. The user gets used to clicking through without thinking and you have the same vulnerability anyway.
I won't disagree with you on the Windows part, but click-to-access does have some purpose. At least then the browser will only use Flash for something the user explicitly requests like a game, rather than it automatically running in the background for God-knows-what.
Imagine a car that doesn't drive to Walmart... because it disagrees with Walmart policies. Browser is a vehicle, it has no value on its own. And if that vehicle will start telling me where I should and shouldn't go, I will just ditch it. "Click to activate" is fine. Making user aware that flash may not be safe is fine. But "discontinue support for Flash in Firefox" is not OK, regardless of what I think about Flash as a technology. While it remains on many sites, it must be supported for browser to be of any use.
Bad analogy. A car is like your keyboard and mouse. Discontinuing Flash in the browser is like the city preventing pipe builders from connecting people's drinking water pipes to the radioactive waste dump.
Pale Moon with Noscript. When they decide to start thinking for me, i'll look for another browser...
Explain how the browser is "thinking for you" by discontinuing support for something. Firefox is free software. Fork it and support Flash yourself if you care so much. Mozilla doesn't want to waste the resources on a plugin that causes problems for millions of people.
An annoying new trend: sites that pop up a window when you click to close a tab. The most innocuous ask if you really want to close the site. (I just said I did, didn't I?) Others lock you in an unclosable (short of a three-finger salute) page with the scam "your computer is infected, you must call xxx-xxx-xxx to resolve the problem" which I'm sure will phish for a CC number to "fix your problem." Anything that pops up after you choose to close and demands a response from you is likely malware. (Who knows what clicking to leave a page may actually do?)
The x in the browser tab should immediately close the window. w/o allowing any control whatsoever by the site being closed.
IE just won't play flash unless you have the latest, as far as I can tell.
Edge will, well, no matter what it does you're still doing it on Edge.
Lynx has successfully blocked Flash since 1992 - everyone else is that far behind.
Socialism: a lie told by totalitarians and believed by fools.
I agree with "Click2Run should be standard", but that's not enough.
Mozilla writes:
Well Javascript is the single biggest factor which "often introduces stability, performance, and security issues for browsers" . And to use Mozilla's words, this is not a trade-off which users should have to accept either. Why Mozilla does nothing to control and limit the impact of the primary enemy and instead leaves it to add-ons is incomprehensible.
At the very least, the Javascript engine should be frozen on out-of-focus tabs unless specifically enabled to run continuously on that tab. Without that, Firefox with tabs will continue to run like molasses because web designers are universally myopic and unwilling to limit their abuse of users' CPU.
Actually we need all browsers to drop support for it. Now. You ever notice that you can visit some sites on a phone (Android, iOS) and it works fine with no Flash? All the features are there. Try it on a notebook or desktop and the same site often won't work without Flash enabled. And, some small set of them, actually won't even work if you have Flash set to click-to-activate. I actually had to set a site (some damn puzzles) into the exception list for click-to-activate for my Dad because the site just immediately failed if the Flash object wasn't loaded right away. Try it on mobile and it works. Yep. The sites want the mobile user base, so they will allow it to work there. But they figure they can do more stupid auto-play advertisements with flash on notebook / desktop - so they won't let it work without Flash there. This isn't every site. This is only some. But if the browsers all stopped Flash support now, well guess what? Those sites don't want to go out of business. They would enable their content pretty quickly.
The fact that you drank the kool-aid and think Flash is the problem is why you aren't seeing what's wrong with a browser discontinuing support for something that is still a presence on the Web.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
The last two flash installers have just hung forever on my system, so I'm not even watching anything that requires it right now. Maybe later, if Adobe figures out how to lay some files down on a Windows box. I'm not holding my breath. They become less competent with every passing hour.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Good. Maybe next people will stop requiring javascript too. Too many sites require javascript to be enabled just to click on a damn link.
The fact you drank the kool-aid and think Flash is anything other than a problem seems to be the problem here.
Well by the very nature of Pale Moon (or any program) having any configurable preference set to any default value, I guess it already is 'thinking for you'.
Most people just want things to work out of the box. I find I enjoy tinkering more than actual use of a product, but that doesn't seem to be common.
Exactly what is ESSENTIAL FLASH CONTENT? Wouldn't that be an oxymoron, like decorative manure?
The fact that you drank the kool-aid and think Flash is the problem is why you aren't seeing what's wrong with a browser discontinuing support for something that is still a presence on the Web.
Are you denying that Flash has been the vector for numerous security exploits?
firefox crashes less often.... half as often compared to 16-18 months ago... but "no!" it's not because they're actually writing better code and fixing bugs... it's because youtube is using flash less often. the firefox code itself is actually worse now.
It's not even just when you click to close a tab, which would be obnoxious enough. Lots of pages announce their abandonment issues as soon as you move the mouse pointer to the tabs to toggle between tabs. This often leads me to close their tab, instead of leaving it to read later.
I already have it set to click to play Flash. Fuck Flash
I don't see HBI saying anything of the sort. They're saying that browsers discontinuing support and thus making content on the Web inaccessible to their users is a bad thing.
And they're absolutely right.
The trend for modern browsers to drop support for any standard more than five minutes old, and in doing so cut off huge amounts of valuable content developed over multiple decades, is exactly the opposite of what the Web is supposed to be about.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
No it isn't. Windows failure to segment "Administrator" from "General Purpose User" for most of the last 25 years is.
"Windows killed my Pappy!"
MS fixed that shit almost 10 years ago. FFS, enough already.
Click through access does nothing for security whatsoever except make people feel good. The user gets used to clicking through without thinking and you have the same vulnerability anyway.
People are unlikely to "click through" ads, which is 100% the point here. YouTube is already ready for a post-Flash world. It's the advertising industry that needs a kick in the crotch (not that that will every be untrue, but here there's even more reason).
Socialism: a lie told by totalitarians and believed by fools.
I can mind my own security just fine. And a test suite offers me what feature? More security, you say? More security than just not allowing any untrusted script to run?
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
For that matter, what do you mean "breaking compatibility with any Firefox addon"? Haven't found one yet (that I would want) that I haven't been able to run in Pale Moon. Whatever the "breakage", it must not be very significant.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Indeed. Firefox has had the ability to "Ask to activate" a plugin for a long time. I have had Flash set to this for years now. They could have made this the default for Flash, when either Firefox or Flash is first installed.
Gamingmuseum.com: Give your 3D accelerator a rest.
To this day, if you want to watch National Weather Service radar images on a loop (just in case you would like to see the tornado intent on killing you, and you're locale isn't worthy of live coverage in the nearest media market), you still have to use Flash.
Seriously I have been using flashblack on Chrome for years now and run adblock plus on IE for a year two as well.
Flash is truly terrible and a risk.
http://saveie6.com/
The trend for modern browsers to drop support for any standard more than five minutes old, and in doing so cut off huge amounts of valuable content developed over multiple decades, is exactly the opposite of what the Web is supposed to be about.
Right on. When the WWW was conceived in Tim Berners-Lee's head, I'm sure the very first thing he salivated over was all of people whose bank accounts were jacked via Flash-transmitted malware.
Fox News uses Flash so it must be good :)
Some of us liked the internet before the Crisis of Infinite Septembers.
The rest of you whippersnappers can get off my lawn and take your damn billboards with you.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
I don't know about that there will always be wget and emacs
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
Flash isn't any sort of standard except in the limited sense that it is used on a lot of web sites. It's a proprietary, closed source plugin and application; the precise opposite of a standard. This so-called "standard" exists solely at the whim of one company, Adobe, and they can do whatever they wish with it without regard to its users or anyone else. For instance, they dropped Linux support a few years ago without any input from the community.
In my opinion, Flash is an abomination that can't die soon enough. The same goes for Microsoft's Silverlight.
(Score: -1, Stupid)
> They even decided to break compatibility
> with regular Firefox addons... all for you!
Correction... Mozilla broke compatibility with regular Firefox addons, i.e. XUL in order to switch to the same model used by Chrome https://blog.mozilla.org/addon... If I wanted effing Chrome, I'd use effing Chrome already. Firefox's problem is that it's a Chrome wannabee.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
I use it for work, just like Java. And by that I mean I have customers that use these plugins for essential tasks and without a browser to run the plugins, these customers are left out on their ass. For instance, I'm currently logged in to a customer's system through a browser based Java RDP client. They do not have other options. They don't have the resources to purchase other options. They don't have the IT staff to implement other options. What they have works. In order to make it continue working, I need to have a browser that can use the plugin or create a VM with the supported browser and plugin installed and auto-update disabled on the browser. I have other customers that use Flash similarly.
And, of course, this doesn't save us from anything. HTML5 is just as much a vector as Flash or Java.
Wow. I had no idea people who have used a computer for more than a few months still had Flash installed on their computer at all.
Flash isn't any sort of standard except in the limited sense that it is used on a lot of web sites.
And, until recently, more widely available and consistent across platforms than just about any official web standards other than HTML 4, CSS 2.1 and HTTP. In other words, Flash was a standard in the only way that really matters: it worked the same almost everywhere. Which, by the way, is far more than can be said for many of the new shiny toys that are supposed to replace it.
It's a proprietary, closed source plugin and application; the precise opposite of a standard.
Well, for one thing, that isn't anything like the precise opposite of a standard.
As for proprietary, closed source, and running as a separate process, have you looked at how HTML5 video works on iOS lately? Or the uses of EME, which is now a W3C standard? Or the number of different encodings you need to create to do something as simple as playing a video across most browsers in 2016, compared to the exactly one you needed with any number of Flash video players before?
This so-called "standard" exists solely at the whim of one company, Adobe, and they can do whatever they wish with it without regard to its users or anyone else.
How is that fundamentally different to all the major browsers pushing substandard HTML5 features instead because Google decides Chrome will do so and everyone else apparently feels the need to emulate them? Meet the new boss, same as the old boss (except that now you can't even see what the old boss was like any more because all the records are inaccessible).
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Flash hasn't been a favoured form of malware transmission for years. There are much easier targets these days, with click-to-play protection for plug-ins now being the norm in all major browsers.
Meanwhile, millions and millions of people still benefit from Flash apps every day, and all of those people are going to lose out.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Not to mention Flash is NOT the danger...its JavaScript.
I can surf all day long with Flash on a JavaScript disabled browser without a care in the world because even the flash exploits are using JavaScript but if you surf without Flash but allowing JavaScript without Adblock or even better NoScript then guess what? Its gonna get pwned.
So until we deal with the stinking rotting elephant in the room that is JavaScript and kill it deader than the blink tag? Then all this shit is for naught, its just a waste of time. If FF wanted to protect their users it would come with adblocking and JavaScript disabled by default, this? This is security theater, nothing more.
ACs don't waste your time replying, your posts are never seen by me.
I am because those "flash Exploits" are damned near all executing JavaScript which is the REAL threat here, you get rid of that stinking pile of offal that is JavaScript? I seriously doubt flash or any other plugin would be a problem.
Oh and lets not kid ourselves about Flash being dropped, mmkay? It didn't have shit to do with security it had to do with Apple not wanting games running outside the iStore and because all the content creators kiss the iAss for fear of not getting a shot at the iMoney they went along with it.
And what did we get to replace it, A proprietary as fuck DRM filled mess that is HTML V5 which is practically a love letter to Apple and MSFT...yeah because THAT is progress. say what you want about Adobe but 1.- they let anyone bundle flash into any OS, be it FOSS or proprietary, 2.- They even allowed FOSS alternatives like gnash to be developed...you think MPEG-LA is gonna tolerate that shit with H.265?
Lets face it the whole thing is a giant clusterfuck right now, with the corps racing to see who can make HTML V5 the most nasty and content creators cheering all the way because God forbid they offend the great and mighty Apple. Mark my words in 5 years you'll be BEGGING for something like Flash because all we will have is paywalled DRM content with unskippable malware ridden ads and none of it will play unless you are on the latest corporate approved OS.
ACs don't waste your time replying, your posts are never seen by me.
Over the past few years, Firefox has implemented Web APIs to replace functionality that was formerly provided only by plugins.
But will they play Badger Badger Badger?
Until that can be emulated on the "replacement functionality", removing Flash is a fundamental impact on the Internet Experience. ;-)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I'm not my customer's IT.
AKA de facto standard.
Proprietary and standard are orthogonal.
Porn is essential
Go well
I was arguing with a graphic artist who I basically called a complete tool. He keeps making flash dominated sites for his clients. They look good but I was strongly arguing that he was screwing his clients as fewer and fewer people have flash on their internet thing, and that number will only keep falling. More importantly is that richer people with newer devices are even less likely to have it.
He kept quoting 2001 era stats about it having 98% penetration.
He is the perfect example of someone seeing the world as nails because all they have is a hammer.
They should have mandated from the start that videos/audios together with their controlling scripts, must be segregated into their own iframes, tagged accordingly.
I usually assume it is all a conspiracy to prevent me from accessing government precipitation analysis and weather radar data.
If you only use a handful of addons, and they're all well known, and you're using the same ones for years, then it might not be a problem for addons to run with the same privileges as other user software.
It is not automatically a given that application plugins, whatever the name, have to be "apps" that are fun little throw-away nonsense things that you would casually install and need to be protected from. There is room in the world for people who only want computer tools, or want tools separate from toys.
Pale Moon with Noscript. When they decide to start thinking for me, i'll look for another browser...
You are severely overdue to find a new browser then. Remember when Pale Moon wouldn't let you visit sites with weak certificates? They eventually backpedaled on that, but if you weren't lying, then you wouldn't be using Pale Moon any more after that.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
The fact that you drank the kool-aid and think Flash is the problem is why you aren't seeing what's wrong with a browser discontinuing support for something that is still a presence on the Web.
The fact that you think a browser is discontinuing support for something for which they are not discontinuing support
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
For instance, I'm currently logged in to a customer's system through a browser based Java RDP client. They do not have other options. They don't have the resources to purchase other options.
There are a whole bunch of other options, many of which are free, including Microsoft's own downloadable RDP client. If you want people to buy your story, you're going to have to expand on that.
What they have works. In order to make it continue working, I need to have a browser that can use the plugin or create a VM with the supported browser and plugin installed and auto-update disabled on the browser.
Oh, so the way they are doing it now is the only way to do it? I think they should hire someone else.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Click through access does nothing for security whatsoever except make people feel good. The user gets used to clicking through without thinking and you have the same vulnerability anyway.
Well, this is the dumbest thing you've said in this thread. What about the hidden flash apps the user never even sees? What about flash banner ads that the user is almost certainly not going to click to see what they are?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Haha, you said PKI.
Have hilarious memories here of ten years of continuous failure over PKI.
Thanks.
The chrome on my car is not so flashy anymore either after a year.
Flash is, and has been, a major, if not the biggest vector of attack in browsers since its inception. It has since its birth in the pits of hell been an ill-bred monstrosity, a cancer. It should have been euthanised long ago.
Companies that still use it for their ****ing "presence on the web" deserve to die the horrordeath of Doom.
These are not pesky little factoids you should leave out when you give an answer like that.