Status of click-to-play plugins in Firefox 24/26

Gervase Markham gerv at
Wed Oct 30 13:39:08 UTC 2013

On 30/10/13 13:08, Benjamin Smedberg wrote:
> As noted in a previous thread
> (
> there are some serious tradeoffs with making things discoverable versus
> protecting users from attacks delivered via ad networks.

Just so I understand: the threat here is that users will intentionally
activate plugins in instances where they should not activate them,
because it's actually an attack?

That is, if the page says "this page needs a plugin to work", people
will just click the "Whatever" button without caring whether the plugin
is providing some function they need?

> In the short term, however, there are enough sites that use hidden Java
> that we may need some sort of compromise. The possible workarounds are
> discussed a bit in my original email, and I'm working with madhav, lco,
> and chadw to identify whether and which workaround we would deploy.

Can we auto-resize invisible plugins to 300x300, and size them back
again once they are click-to-play-ed?


More information about the firefox-dev mailing list