Status of click-to-play plugins in Firefox 24/26
benjamin at smedbergs.us
Wed Oct 30 14:00:37 UTC 2013
On 10/30/2013 9:39 AM, Gervase Markham wrote:
> On 30/10/13 13:08, Benjamin Smedberg wrote:
>> As noted in a previous thread
>> there are some serious tradeoffs with making things discoverable versus
>> protecting users from attacks delivered via ad networks.
> Just so I understand: the threat here is that users will intentionally
> activate plugins in instances where they should not activate them,
> because it's actually an attack?
> That is, if the page says "this page needs a plugin to work", people
> will just click the "Whatever" button without caring whether the plugin
> is providing some function they need?
Yes, basically. We have data which shows that currently the most common
malware/virus infection method is via Java delivered via ad networks and
normal browsing. So we want to make it as unlikely as possible that
users will activate Java while browsing the normal web, while still
making it *possible* to activate Java on particular bank or business
sites that still require it.
>> In the short term, however, there are enough sites that use hidden Java
>> that we may need some sort of compromise. The possible workarounds are
>> discussed a bit in my original email, and I'm working with madhav, lco,
>> and chadw to identify whether and which workaround we would deploy.
> Can we auto-resize invisible plugins to 300x300, and size them back
> again once they are click-to-play-ed?
This is an interesting idea worth trying out, but it won't help in every
case. I believe that it's possible to try this using this
min-width: 250px !important;
min-height: 250px !important;
We'd really have to see what effects this has on existing sites that are
affected before deciding whether this is something we can actually ship.
More information about the firefox-dev