Status of click-to-play plugins in Firefox 24/26

Lawrence Mandel lmandel at
Wed Oct 30 15:52:03 UTC 2013

----- Original Message -----
> Please follow up to firefox-dev.
> Below is the current status of click-to-play plugins in Firefox.
> On the morning of Friday 18-October, we enabled a block which made all
> versions of Java click-to-activate with the insecure UI (bug 914690).
> This block broke some Java users. The breakage can be grouped into
> several general categories:
> * The plugin notification icon was not present in the location bar at
> all for some sites which use Java
> * The plugin notification icon was present in the location bar, but
> users didn't notice it
> * The plugin was visible on the page, but users didn't realize that they
> could click on it and didn't know what to do next
> This affected some important sites in certain markets:
> * many people in Norway who use the Norway BankID system which is
> currently Java-based.
> * a few other prominent banks in Europe, and perhaps a few others
> I don't have a good list of the affected sites, although I have been
> working with SUMO and feedback to try and get some better specific URLs.
> I am tracking the list at

>From the short list of sites that you have gathered have you been able to extract patterns of Java usage (i.e. how Java is programmatically used within a page)? If so, are the usage patterns and our solution for them documented somewhere?


> The block for the most recent version of Java was disabled on Wednesday
> 23-October. The block for older versions of Java that have public
> security advisories is still in place.
> The issue where the plugin notification icon was not present at all is
> the most serious issue. There are apparently some common Java deployment
> scripts which create a Java instance, and if it does not activate,
> immediately remove it from the page. This caused our plugin doorhanger
> to cancel itself. With jaws' help, I have fixed this issue in bug 889788
> which landed for Firefox 26 beta 1.
> This has not completely solved the problem. It turns out that there is
> another edge case where the plugin notification does not appear at all.
> This is now being tracked in bug 745187, and probably will not be hard
> to fix.
> I have been working with lco and madhav to figure out if there are
> changes that we can do to make the in-content UI look more clickable.
> The current suggestion is to at least make sure that the cursor changes
> to a hand pointer when over the UI, and to reorder and reword the UI for
> the vulnerable-plugin case. This is tracked as bug 932446.
> The final question is whether we need to make the hidden plugin case
> more discoverable. This was discussed at length a couple months ago. I
> still believe that the desired outcome is that we should not make hidden
> plugins discoverable, but I'm not sure whether we can actually pull that
> off in the market, especially with high-profile sites such as the Norway
> ID sites. Technically, exposing the doorhanger temporarily as in this
> mockup
> is fairly straightforward. We could also copy Chrome's UI and show a
> more permanent yellow notification bar. I am not sure how to make this
> decision. I need feedback from UI and product experts on the best option
> here. If we are going to uplift any UI change of this sort into Fx26 and
> not slip a release, it will need to be done soon so that we can get
> thorough testing in the beta cycle.

Of course we need to keep in mind that users just want these sites to work so that they can do whatever their task happens to be. While we want to secure our users they do have an option if a site doesn't work in Firefox - try another browser.

In terms of uplifting, is there a good reason to keep this change in 26? If UI and string changes are required, why not defer to a later release?


More information about the firefox-dev mailing list