Status of click-to-play plugins in Firefox 24/26

Hontvári József Levente hontvari at
Wed Oct 30 12:24:29 UTC 2013

I believe that the "large play button" icon in the prototype mentioned
below is much more friendly than the currently used LEGO block. The LEGO
block reflects the viewpoint of a developer: a plugin is a building
block. The play button better meets the viewpoint of the user: something
which I would like to play (or start). It is also more intuitive,
because it implicitly shows the required action. The play button by
itself indicates to the user, that he has to click on it. In contrast, I
rarely want to click on a LEGO brick. Moreover, using the play icon (a
triangle pointing to the right, in a filled circle, maximized to fill
the entire plugin area) would give more consistency amongst browsers,
Opera has been using such an icon for several years.

It would be great if Oracle Java and browser developers could agree on
who asks the user for permissions. The current situation is absurd,
first the browser asks for permission, and than the Java plugin asks
again. I think this is more of the the responsibility of Oracle, but
some kind of API may help, so they know that the user already explicitly
indicated that he want to start the plugin. An intuitive user interface
with the large play button also mitigates this problem, it is less
distraction compared to a dialog.

I am also interested in how could we be added to the list of affected sites.

On 2013.10.29. 20:34, Benjamin Smedberg wrote:
> Please follow up to firefox-dev.
> Below is the current status of click-to-play plugins in Firefox.
> On the morning of Friday 18-October, we enabled a block which made all
> versions of Java click-to-activate with the insecure UI (bug 914690).
> This block broke some Java users. The breakage can be grouped into
> several general categories:
> * The plugin notification icon was not present in the location bar at
> all for some sites which use Java
> * The plugin notification icon was present in the location bar, but
> users didn't notice it
> * The plugin was visible on the page, but users didn't realize that
> they could click on it and didn't know what to do next
> This affected some important sites in certain markets:
> * many people in Norway who use the Norway BankID system which is
> currently Java-based.
> * a few other prominent banks in Europe, and perhaps a few others
> I don't have a good list of the affected sites, although I have been
> working with SUMO and feedback to try and get some better specific
> URLs. I am tracking the list at
> The block for the most recent version of Java was disabled on
> Wednesday 23-October. The block for older versions of Java that have
> public security advisories is still in place.
> The issue where the plugin notification icon was not present at all is
> the most serious issue. There are apparently some common Java
> deployment scripts which create a Java instance, and if it does not
> activate, immediately remove it from the page. This caused our plugin
> doorhanger to cancel itself. With jaws' help, I have fixed this issue
> in bug 889788 which landed for Firefox 26 beta 1.
> This has not completely solved the problem. It turns out that there is
> another edge case where the plugin notification does not appear at
> all. This is now being tracked in bug 745187, and probably will not be
> hard to fix.
> I have been working with lco and madhav to figure out if there are
> changes that we can do to make the in-content UI look more clickable.
> The current suggestion is to at least make sure that the cursor
> changes to a hand pointer when over the UI, and to reorder and reword
> the UI for the vulnerable-plugin case. This is tracked as bug 932446.
> The final question is whether we need to make the hidden plugin case
> more discoverable. This was discussed at length a couple months ago. I
> still believe that the desired outcome is that we should not make
> hidden plugins discoverable, but I'm not sure whether we can actually
> pull that off in the market, especially with high-profile sites such
> as the Norway ID sites. Technically, exposing the doorhanger
> temporarily as in this mockup
> is fairly straightforward. We could also copy Chrome's UI and show a
> more permanent yellow notification bar. I am not sure how to make this
> decision. I need feedback from UI and product experts on the best
> option here. If we are going to uplift any UI change of this sort into
> Fx26 and not slip a release, it will need to be done soon so that we
> can get thorough testing in the beta cycle.
> --BDS
> _______________________________________________
> firefox-dev mailing list
> firefox-dev at

More information about the firefox-dev mailing list