Thursday, November 22, 2012

Firefox 17 launches with click-to-play plugin blocks for old AdobeReader, Flash, and Silverlight

The biggest addition in this release, in my opinion, is click-to-play plugins, announced back in October. In short, the addition means Mozilla will now prompt Firefox users on Windows with old versions of Adobe Reader, Adobe Flash, and Microsoft Silverlight (more will be added eventually).

Mozilla is essentially merging together the idea of click-to-play plugins (don’t load plugins until they’re clicked) with the concept of a blocklist (a list of addons and plugins that are disabled). As such, click-to-play blocklisted plugins consist of a list of plugins that Mozilla deems unsafe for its Firefox users. Instead of completely disabling what’s on the list, however, the company will prevent them from running when the page loads: you’ll have to click first.

Here’s how the feature looks:

The prompt tells you that the plugin is vulnerable and thus Firefox has stopped it from loading automatically. If there is an update available, you will be prompted to update the plugin, but you will still also be able to use it, if you want to, by clicking on the blocked grey box.

Additionally, if plugins are blocked on the currently-viewed Web page, Mozilla will feature a blue icon to the left of the address bar for more information. Here’s how the menu looks when opened up:

Although this feature is enabled by default, you can set it to work for all plugins, not just old ones, in the about:config preference “plugins.click_to_play” (set to true). While this is not an all-purpose plugin management system, it should still be useful as a prevention mechanism against drive-by attacks (such as urging users to click on a video link that is almost never what it claims to be or hiding in ads on a legitimate website) targeting plugins that are known to be vulnerable.

There are of course other Firefox 17 features worth noting; here’s the official changelog:

  • NEW: Click-to-play blocklisting implemented to prevent vulnerable plugin versions from running without the user’s permission.

  • CHANGED: Updated Awesome Bar experience with larger icons.

  • CHANGED: Mac OS X 10.5 is no longer supported.

  • DEVELOPER: JavaScript Maps and Sets are now iterable.

  • DEVELOPER: SVG FillPaint and StrokePaint implemented.

  • DEVELOPER: Improvements that make the Web Console, Debugger and Developer Toolbar faster and easier to use.

  • DEVELOPER: New Markup panel in the Page Inspector allows easy editing of the DOM.

  • HTML5: Sandbox attribute for iframes implemented, enabling increased security.

  • FIXED: Over twenty performance improvements, including fixes around the New Tab page.

  • FIXED: Pointer lock doesn’t work in web apps (769150).

  • FIXED: Page scrolling on sites with fixed headers (780345).

Apart from the usual performance improvements, and the sandboxing of iframes, the next most important thing is that support for OS X 10.5 Leopard has been dropped. If you’re still using the ancient OS X version, you can keep using Firefox 16, but that’s about it. This follows in Google Chrome’s footsteps, which did the same back in September.

If you’re a Web developer, you may want also to check out Firefox 17 for developers. Also, the Social API is out with the release of Firefox 17.


  1. From what I know, we haven't actually activated any CTP blocks in FF17 yet, though - and for Flash, we'll probably not do that until FF18 because there's a few more bugs to weed out in that system.
    All that said, it's really great that we have this mechanism and I'm looking forward to having a fully working version of it rolled out to our millions of users, so we can protect them even better from exploits that are going around in the wild!

  2. i think we already start blocking flash player, i tried on beta and not.sure about release

  3. We did apply the CTP blocks to beta, but decided not to do so yet on release, and pulled them back to 18 and above for now. We might put forward to non-Flash ones to 17 again in two weeks or so, but Flash won't be CTP-blocked before 18. I was involved in the decision making process there.

  4. okay thanks for the update, i will update this post soon :)