Status of click-to-play plugins in Firefox 24/26

Benjamin Smedberg benjamin at
Tue Oct 29 19:34:18 UTC 2013

Please follow up to firefox-dev.

Below is the current status of click-to-play plugins in Firefox.

On the morning of Friday 18-October, we enabled a block which made all 
versions of Java click-to-activate with the insecure UI (bug 914690). 
This block broke some Java users. The breakage can be grouped into 
several general categories:
* The plugin notification icon was not present in the location bar at 
all for some sites which use Java
* The plugin notification icon was present in the location bar, but 
users didn't notice it
* The plugin was visible on the page, but users didn't realize that they 
could click on it and didn't know what to do next

This affected some important sites in certain markets:
* many people in Norway who use the Norway BankID system which is 
currently Java-based.
* a few other prominent banks in Europe, and perhaps a few others

I don't have a good list of the affected sites, although I have been 
working with SUMO and feedback to try and get some better specific URLs. 
I am tracking the list at

The block for the most recent version of Java was disabled on Wednesday 
23-October. The block for older versions of Java that have public 
security advisories is still in place.

The issue where the plugin notification icon was not present at all is 
the most serious issue. There are apparently some common Java deployment 
scripts which create a Java instance, and if it does not activate, 
immediately remove it from the page. This caused our plugin doorhanger 
to cancel itself. With jaws' help, I have fixed this issue in bug 889788 
which landed for Firefox 26 beta 1.

This has not completely solved the problem. It turns out that there is 
another edge case where the plugin notification does not appear at all. 
This is now being tracked in bug 745187, and probably will not be hard 
to fix.

I have been working with lco and madhav to figure out if there are 
changes that we can do to make the in-content UI look more clickable. 
The current suggestion is to at least make sure that the cursor changes 
to a hand pointer when over the UI, and to reorder and reword the UI for 
the vulnerable-plugin case. This is tracked as bug 932446.

The final question is whether we need to make the hidden plugin case 
more discoverable. This was discussed at length a couple months ago. I 
still believe that the desired outcome is that we should not make hidden 
plugins discoverable, but I'm not sure whether we can actually pull that 
off in the market, especially with high-profile sites such as the Norway 
ID sites. Technically, exposing the doorhanger temporarily as in this 
is fairly straightforward. We could also copy Chrome's UI and show a 
more permanent yellow notification bar. I am not sure how to make this 
decision. I need feedback from UI and product experts on the best option 
here. If we are going to uplift any UI change of this sort into Fx26 and 
not slip a release, it will need to be done soon so that we can get 
thorough testing in the beta cycle.


More information about the firefox-dev mailing list