Status of click-to-play plugins in Firefox 24/26
benjamin at smedbergs.us
Tue Oct 29 19:34:18 UTC 2013
Please follow up to firefox-dev.
Below is the current status of click-to-play plugins in Firefox.
On the morning of Friday 18-October, we enabled a block which made all
versions of Java click-to-activate with the insecure UI (bug 914690).
This block broke some Java users. The breakage can be grouped into
several general categories:
* The plugin notification icon was not present in the location bar at
all for some sites which use Java
* The plugin notification icon was present in the location bar, but
users didn't notice it
* The plugin was visible on the page, but users didn't realize that they
could click on it and didn't know what to do next
This affected some important sites in certain markets:
* many people in Norway who use the Norway BankID system which is
* a few other prominent banks in Europe, and perhaps a few others
I don't have a good list of the affected sites, although I have been
working with SUMO and feedback to try and get some better specific URLs.
I am tracking the list at
The block for the most recent version of Java was disabled on Wednesday
23-October. The block for older versions of Java that have public
security advisories is still in place.
The issue where the plugin notification icon was not present at all is
the most serious issue. There are apparently some common Java deployment
scripts which create a Java instance, and if it does not activate,
immediately remove it from the page. This caused our plugin doorhanger
to cancel itself. With jaws' help, I have fixed this issue in bug 889788
which landed for Firefox 26 beta 1.
This has not completely solved the problem. It turns out that there is
another edge case where the plugin notification does not appear at all.
This is now being tracked in bug 745187, and probably will not be hard
I have been working with lco and madhav to figure out if there are
changes that we can do to make the in-content UI look more clickable.
The current suggestion is to at least make sure that the cursor changes
to a hand pointer when over the UI, and to reorder and reword the UI for
the vulnerable-plugin case. This is tracked as bug 932446.
The final question is whether we need to make the hidden plugin case
more discoverable. This was discussed at length a couple months ago. I
still believe that the desired outcome is that we should not make hidden
plugins discoverable, but I'm not sure whether we can actually pull that
off in the market, especially with high-profile sites such as the Norway
ID sites. Technically, exposing the doorhanger temporarily as in this
is fairly straightforward. We could also copy Chrome's UI and show a
more permanent yellow notification bar. I am not sure how to make this
decision. I need feedback from UI and product experts on the best option
here. If we are going to uplift any UI change of this sort into Fx26 and
not slip a release, it will need to be done soon so that we can get
thorough testing in the beta cycle.
More information about the firefox-dev