Mozilla Testing Click-to-Play Option For Plugin Content 124
Trailrunner7 writes "Mozilla is developing a feature in Firefox that would require some user interaction in order for Flash ads, Java scripts and other content that uses plugins to play. In addition to easing system slowdowns, the opt-in for Web plugins is expected to reduce threats posed by exploiting security vulnerabilities in plugins, including zero-day attacks. 'Whether you hate them or love them, content accessed through plugins is still a sizable chunk of the web. So much so, that over 99% of internet users have Flash installed on their browser,' writes Mozilla's Jared Wein, the lead software engineer on the project, in a blog post."
Why did it take so long?! (Score:5, Insightful)
Seriously, this is a no-brainer, that has been implemented by tonnes of extensions. So now that we're at version 4000, why is it suddenly a good idea to implement it?
Re:Why did it take so long?! (Score:4, Informative)
And, it was the subject of an EOLAS lawsuit against Microsoft, who IIRC had to disable automatically running things in IE for a while (maybe they got that overturned before actually having to implement it).
EOLAS invents something, patent-trolls, gets $30million (down from the 500+ originally awarded) and 10 years later everyone starts to realize it's a bad idea!
Re: (Score:2)
Frankly, MS should have kept that Click to run as an security option in IE. It pretty much did the same thing noscript did back in 2003. Of course IIRC it had one of those annoying drop down bars you had to click on in order to get it to run instead of clicking the control box in question and it was easily worked around (but that could be fixed)
Gnash (Score:4, Insightful)
I would like it if one could decide on a per-site basis to play the Flash with Gnash or with Adobe Flash.
Gnash is much faster, plays nicer with the graphic card, and is more secure. I had success using it on several websites.
However it doesn't support many of the newer Flash features, so everyone trying it out will turn away from it.
If there was a "SafeFlash" extension, that would, like HTTPSEverywhere, use Gnash where the website is compatible, a smooth transition away from Adobe Flash (which will be phased out for Linux anyway apparently) would be possible.
Comment removed (Score:5, Interesting)
Re: (Score:2)
Re: (Score:2)
FTFY: FF logs the target in and then everyone in their address book gets porn and malware sperm links.
Re: (Score:2)
FF logs the target in and then everyone in their address book gets porn and malware sperm links
I had to ask, was that intentional?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Why is this a Firefox bug? What do other browsers do to prevent this type of thing? I was under the impression that cross site scripting prohibitions in the browser prevented sites from doing what you're saying is happening.
Why would a master password protect against this issue? Wouldn't the password autofilling (assuming that's the issue) be available once the user had entered the master password, just as if there were no master password? I admit I've never bothered to set a master password, so maybe t
Re: (Score:2)
That said... I've switched to Chrome
Re: (Score:2)
It isn't a good idea unless it is disabled by default and only available as an option.
I WANT Firefox to spread in the enterprise, and this will likely make that less probable.
Web based applications requiring individual permissions for aspects of their functionality in the corporate world? I have enough trouble getting these mental giants to load a web page...
Re: (Score:2)
finally (Score:2, Insightful)
This should have been the default 10 years ago.
I'm a fan of Java, but I still cringe when I go to a web page and the Java console opens.
for javascript? (Score:5, Insightful)
really? you'd get carpel tunnel if you had to click-to-run every script on most commercial sites these days.
no script is more effective but with a learning curve.
but either method will still have the masses turning the 'feature' off (essentially white-listing everything).
Re:for javascript? (Score:4, Informative)
I've been using NoScript for years. You whitelist the trusted sites where you need it & the others are just an occasional click.
Re: (Score:2)
exactly.. but the brain-dead masses won't "get" how to use it... thus, would just turn it off (if they could even figure *that* out) or continue their click-click-click-click ways..
NS (Score:5, Interesting)
I've tried this on numerous occasions, the more advanced users eventually click 'Allow Scripts Globally", the less advanced keep calling me until I click 'Allow Scripts Globally".
I personally love it, easy-peasy black/white-list. My other apps do not stutter and bog whenever I scroll a page or open a new one. Pages load faster or not at all(both good IMO). Google's auto-search doesn't clog up my 1MB connection or freeze FF trying to force feed me their assumptions(must remove Goog from pre-loaded whitelist). Minimal ad tracking tools/cookies/malware collecting in my system, bleachbit completes in record time. My whitelist allows mo-add-ons page, my local library and some local devices. I'm typing now with /. & FSDN blocked. With the exception of moderation, the site suits me better with them blocked!
Re: (Score:2)
Moderation comes and goes. Right now, I shift-click the comment number and get the comment by itself in a new window. Select the moderation, and the 'moderate' button is at the bottom.
Even if it has child replies, as long as they remain 'normal', you only moderate the single comment.
It also helps refresh to see if someone else has changed the moderation, or made a reply that I should consider in my moderation. Unless there are 5 child replies and the page gets large, overall I think this way is the best
Re: (Score:2)
I use the "allow second-level domains" (or whatever it's called) on NoScript. For example: news.slashdot.org. That eliminates a lot of headaches but still blocks dangerous sites filled with viral-scripting.
I also use the free AVG which includes a Firefox plugin to filter-out anything it considers bad.
Re: (Score:2)
the braindead will want a way to fix it, quick, without thinking hard. if you want this as default, but don't want them turning it completely off, then you need to provide a really easy way of them to think they've fixed their immediate problem. They won't think beyond that. Maybe a "whitelist this page so your scripts work?" popup the first time you visit a site? may get annoying on every other page, though.
Re: (Score:2)
I do this, but if everybody had it as the default, the websites would put all the scripts in the same domain so you would have to choose to get all or nothing.
The companies the host the ad scripts would have to figure out a way to make money without hosting their scripts directly, but I'm sure they would figure out something.
Re:for javascript? (Score:4, Informative)
This doesn't have anything to do with Javascript, Javascript is not a plugin. This affects plugins like Flash, Java, and Silverlight.
Re: (Score:2)
Or, we stop loading scripts. You're assuming a whitelist wouldn't be built in. I use Ghostery, and it sometimes requires intervention, but for the most part silently nukes ad scrapers. This would create something similar, but standard in the browser. Third party script? No thanks.
Oh, and Click-for-Flash (via an add on) has been my preferred UI for years. Works fine.
Re: (Score:1)
The summary doesn't say "JavaScript" it says "Java scripts", as in applets. JavaScript isn't even a plugin. They're talking about blocking automatic execution of Java applets and Flash, not JavaScript.
Per usual Opera's been doing it for years (Score:2)
Well maybe not "years" but since Opera 10 came out. The Javascript operates normally, but if you turn-on the Turbo mode, Opera does not load any flash content but just displays a placeholder until you click it.
That's a nice way to avoid loading a lot of ads, or embedded youtube videos (thus speeding-up browsing). Opera also has a convenient "images off/on" toggle at the bottom, which I use on slow connections like Dialup or cellphone.
Re: (Score:1)
You don't have to use turbo mode.
Tools -> Preferences -> Advanced -> Content -> Enable plug-ins only on demand.
Re: (Score:1)
In addition, this can be turned on granularly as well (per website). It'll be under F12->Edit Site Preferences.
You mean like (Score:1)
Re:You mean like (Score:4, Informative)
Re: (Score:2)
Re: (Score:3)
i think you need to change the defaults for that. Might be a reason, why some noscript users still use flashblock.
Re: (Score:2)
People who allow scripts so the page will run/load, might not want flash running automatically. For example the entire Gawker family, including iO9 which occasionally posts interesting things. I might whitelist it to read the content, but I don't want flash loading automatically.
So you get the combination. By default, Java, Flash Silverlight, and 'other plugins' are disabled bu default.
Re: (Score:2)
yeah, and you can configure noscript to block plugins even when scripts are allowed.
you need to enable "block plugins even on whitelisted sites" or something like this. Then you have exactly the flashblock behaviour.
Re: (Score:2)
"i think you need to change the defaults for that. Might be a reason, why some noscript users still use flashblock."
Interface for Flashblock is better. You just click the element, you don't need to go through a menu.
Re: (Score:2)
same interface in noscript. i do not speak of the script blocking part,but of the click-to-start-plugin part.
Re: (Score:2)
Re: (Score:2)
I just tested it, and the "Block Adobe Flash" option in my NoScript settings doesn't even work.
Re: (Score:2)
[x] block adobe flash
[x] use on trusted websites, too
[x] show placeholder symbol
(not the exact text, as my system does not have an english locale)
Re: (Score:2)
Re: (Score:2)
works fine, firefox 11. dunno if any other settings are relevant. but flashblock additional is fine, too.
Re: (Score:1)
IIRC, NoScript would allow every YouTube video to play automatically if I just allowed one YouTube video to play temporarily. So, I installed flashblock, which ALWAYS requires me to start each flash video manually.
Re: (Score:2)
Re: (Score:2)
Yeah those of us who care about security have been using NoScript for years but this will push the ignorant masses into better security.
Re: (Score:2)
Yeah those of us who care about security have been using NoScript for years but this will push the ignorant masses into better security.
No, those of us who care about security, speed, and and hate ads and social crap have been using NoScript for years.
And we set it up so that clicking the button triggers "Temporarily allow all this page". If a site doesn't work, we just click the button repeatedly until it does.
Re: (Score:1)
Re: (Score:2)
Yeah those of us who care about security have been using NoScript for years but this will push the ignorant masses into better security.
A little bit... however, I doubt Mozilla is going to go as far as NoScript with the concept; likely, they'll stick to blocking media (read: Flash videos) and continue to allow the ad servers all the access they want.
Re: (Score:2)
You're certainly right & that will mean that there will still be a good reason to use NoScript. However that doesn't mean that what Mozilla is planning still won't be a good thing for the less security consious.
since flash on Linux is soon to be (Score:2)
HTML5 has half the frame rate of Flash (Score:5, Interesting)
i would rather see HTML-5 make plugins like flash obsolete
So would I. But first, someone must fix these problems:
Re: (Score:2)
> vector animation
> canvas
you're doing it wrong.
you need to test scripted svg.
And SVG is even slower (Score:3)
you need to test scripted svg.
Result of same benchmark with SVG [themaninblue.com]: eight times slower than Canvas.
Re: (Score:1)
They key here actually is that Firefox's SVG sucks - not that SVG in general sucks.
On my machine I get the following results for the test with the default parameters
Firefox:
Canvas ~35 FPS
SVG ~3 FPS
Chrome
Canvas 40-50 FPS (bounces around a bit more than the other tests)
SVG ~ 65 FPS
Re: (Score:2)
flash html canvas svg with chromium.
with firefox, flash is the fastest and the rest is sucking.
good argument for using more chromium.
i really need to evaluate, how much of my data (history, bookmarks, etc.) can be imported and which extensions i would really be missing.
If analytics show a lot of Gecko (Score:2)
good argument for using more chromium.
So if analytics show a lot of Gecko (Firefox, SeaMonkey, etc.) and a lot of MSIE, what's the most polite way to encourage the user to install one of the Chromium browsers so that the frame rate will become acceptable?
My own results (Score:2)
2 year old graphs
I wasn't intending to link to the graphs per se; I wasn't even aware that they were on that page. I was linking to a benchmark suite and stating my own results of running three of the benchmarks on the latest release-channel version of Firefox on a particular PC. Which benchmarks would you prefer that I had used instead?
Re: (Score:2)
That's funny because for me, with Win7/Firefox 11 on a Core i5 CPU with a recent Nvidia GPU, for a 2000 particle run I get 40fps in Flash and about 45fps using canvas.
http://themaninblue.com/experiment/AnimationBenchmark/flash/?particles=2000 [themaninblue.com]
http://themaninblue.com/experiment/AnimationBenchmark/canvas/?particles=2000 [themaninblue.com]
So I guess YMMV.
Re: (Score:1)
I get ~42fps on my 3rd gen iPad for canvas. Either you have an old computer or Firefox's implementation is crap.
Five-year-old PCs in this recession (Score:2)
Re: (Score:2)
Re: (Score:2)
Flash gives me about 60fps, where canvas was staying right around 90fps with an occasional drop to 75fps, though Flash also did have some slow spikes. This is on Firefox 11 with the on CPU Intel graphics on a mobile i7.
Re: (Score:2)
I get roughly the same under Flash, but it's very jumpy, with swings f
Re: (Score:2)
HTML: 60 fps
Canvas: 87 fps
SVG: 85-90 fps
Flash: 33-36 fps
Chromium 17 & Flash 11-r1, on Debian testing.
Re: (Score:1)
32-33 FPS HTML
69-70 FPS Canvas
23-28 FPS SVG
54-60 FPS Flash
Quad-core I5 at 3.40GHZ running Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:14.0) Gecko/20120412 Firefox/14.0a1 ID:20120412030726
GeForce GT 440
So, yes, I'm cheating by running the burning edge of the latest FF in 64-bit mode, alpha software running on Windows 8 64-bit, also alpha.
Yes, I have Flash installed in my browser. (Score:2)
So much so, that over 99% of internet users have Flash installed on their browser,' writes Mozilla's Jared Wein, the lead software engineer on the project, in a blog post.
Yes, I have Flash installed in my browser.
No, I do not have Flash enabled all the time in my browser. I only enable Flash for the particular content I want to view via Flash.
I already have the "click to play" option for Flash.
Bad TFA (Score:1)
Re: (Score:2)
While it could have been worded better, Java scripts clearly has a space in the middle, meaning that the language being referred to is Java, not JavaScript.
They should have said Java Applets, though.
Re: (Score:2)
There's no such thing as a java script. Java is not a scripting language.
Re: (Score:2)
Yeah, looks like he forgot to count smartphone and tablet users. Maybe he meant 99% of Firefox users ?
There's a better solution (Score:2)
Re: (Score:2)
Ban plugins, their time has come and gone. The web's a very different place from when they were introduced in the mid 90's.
Re:There's a better solution (Score:4, Insightful)
Re: (Score:2)
That's a vicious circle: things get implemented in Flash because the browser's too slow, browser features get a low priority because there's Flash to lean on, ... Third party plugins are the bane of the modern open web maybe it's worth dealing with breakages for a year if it forces the issue.
Re: (Score:1)
Or the users will just move to the browser that doesn't break things since they won't want breakage.
Re: (Score:3)
Or the users will just move to the browser that doesn't break things since they won't want breakage.
Yeah, It'd require some consensus between Mozilla, Google and Microsoft although the first two would probably be able to force the issue on their own. Note that Apple's already there with iOS. The future is smartphones and tablets and they're already plugin-free, we just need the desktop to catch up.
Users who lack privs to move to another browser (Score:2)
Or the users will just move to the browser that doesn't break things
In an office, public library computer lab, school computer lab, or other institutionally managed setting, it's not the user's choice; it's the IT administrator's choice. Users don't get to install browsers because they aren't administrators, and in some cases (such as AppLocker), users don't even get to download executables or bring them in on USB flash drives.
not good (Score:2)
instead of stuffing more and more into the browser itself, put more of the stuff in plugins.
but not the old nsplugins, limited to their square area, but plugins which can for example improve the javascript engine, define new html-tags, and such stuff.
okay, much of this is done via javascript already nowadays, but everthing which would run faster with native code, should go to plugins. so what about and video? They could be plugins, just with a reasonable api, not the limited api which nsplugins use.
tl;dr:
Re: (Score:2)
even native code could be run in a way, which cannot break your browser.
Its already tested (Score:2)
flashblock and noscript provide this option since a looooong time. They could just ask the users of these addons for their experience.
ClickToPlugin (Score:3)
I run ClickToPlugin in Safari for all the reasons above. During general browsing my fan no longer turns on and my battery lasts days.
You mean... (Score:2)
Like Opera's had for about 3 major versions now?
There's always the Flashblock plugin (Score:2)
"..Blocks Flash so it won't get in your way, but if you want to see it, just click..."
https://addons.mozilla.org/en-US/firefox/addon/flashblock/ [mozilla.org]
Re: (Score:2)
Came here to say exactly that. Looks like their intention is to integrate the functionality into firefox itself.
Re: (Score:2)
like personas. put more stuff into the core, which works better as an extension.
Re: (Score:2)
Well yeah, essential thing *should* be made part of the core. Hell, have you tried browsing the web without flashblock? Flash eating all you CPU all the time with ads, sounds comming from background tabs you can't find, etc, etc.
In some cases, it *is* more effiecient too, imagine writing something that connects to an API, registers a callback, etc, vs doing something in-core. If done properly, a minor efficienty improvement might be seen.
Finally, flashblock is ugly, the icon is horrible streched all the
yes, please (Score:4, Insightful)
On anything that is video (animated images count) or audio, I absolutely want confirmation.
I regularily open several tabs in the background, e.g. go through a news site, open all interesting articles in their own tabs, continue until end of summary page, then go read all of them. The next time some audio suddenly starts blasting through my speakers, drowning out my music, and I have to hunt down the fucking window that does it, I'll do berserk.
Seriously, audio in webpages should always require an explicit user start.
What am I missing? (Score:3)
OK, I don't use Firefox, I use Chrome. And I have plug-ins disabled by default, so they all show up as grey boxes. If I want to run one I right click and select Run. How is this any different?
Re: (Score:1)
Re: (Score:1)