Status of click-to-play plugins in Firefox 24/26

Benjamin Smedberg benjamin at
Wed Oct 30 14:00:37 UTC 2013

On 10/30/2013 9:39 AM, Gervase Markham wrote:
> On 30/10/13 13:08, Benjamin Smedberg wrote:
>> As noted in a previous thread
>> (
>> there are some serious tradeoffs with making things discoverable versus
>> protecting users from attacks delivered via ad networks.
> Just so I understand: the threat here is that users will intentionally
> activate plugins in instances where they should not activate them,
> because it's actually an attack?
> That is, if the page says "this page needs a plugin to work", people
> will just click the "Whatever" button without caring whether the plugin
> is providing some function they need?
Yes, basically. We have data which shows that currently the most common 
malware/virus infection method is via Java delivered via ad networks and 
normal browsing. So we want to make it as unlikely as possible that 
users will activate Java while browsing the normal web, while still 
making it *possible* to activate Java on particular bank or business 
sites that still require it.

>> In the short term, however, there are enough sites that use hidden Java
>> that we may need some sort of compromise. The possible workarounds are
>> discussed a bit in my original email, and I'm working with madhav, lco,
>> and chadw to identify whether and which workaround we would deploy.
> Can we auto-resize invisible plugins to 300x300, and size them back
> again once they are click-to-play-ed?
This is an interesting idea worth trying out, but it won't help in every 
case. I believe that it's possible to try this using this 
userContent.css snippet:

object:-moz-handler-vulnerable-no-update {
   min-width: 250px !important;
   min-height: 250px !important;

We'd really have to see what effects this has on existing sites that are 
affected before deciding whether this is something we can actually ship.


More information about the firefox-dev mailing list