Third-party plug-ins can be a real pain in the back for browser developers. Security holes constantly showing up in Java or Adobe Reader, for example, leave those running unpatched versions open to potential drive-by download attacks. Looking to minimize the threat, Mozilla will flip the switch on a security feature that stops plug-ins from loading until the user explicitly permits it with a click.
The feature, known as click to play, was actually introduced late last year with Firefox 14 but remained disabled by default. It wasn't particularly visible to users either as the only way to enable the feature back then was through the about:config screen. Up until now Firefox's click-to-play disabled only out-of-date plugins, but Mozilla is changing that to all plug-ins except for the most recent version of Adobe Flash.
Click to play will be enabled by default in upcoming releases of Firefox. There's no timeline for the change, but Mozilla says it will happen gradually, adding click to play to old versions of Flash, before moving on to the current versions of Silverlight, Adobe Reader, and Java and then all other plugins. To load a plug-in, the user will need to click on the corresponding page element or click on a Lego block-like icon near the address bar.
"Poorly designed third party plugins are the number one cause of crashes in Firefox and can severely degrade a user's experience on the Web. This is often seen in pauses while plugins are loaded and unloaded, high memory usage while browsing, and many unexpected crashes of Firefox," says the company's director of security assurance, Michael Coates. "By only activating plugins that the user desires to load, we're helping eliminate pauses, crashes and other consequences of unwanted plugins."
