Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Firefox Mozilla Privacy Security The Internet

Firefox To Block Non-Essential Flash Content In August 2016, Require Click-To-Activate In 2017 (mozilla.org) 156

Mozilla has announced that it plans to discontinue support for Flash in Firefox. Starting next month, Firefox will block Flash content "that is not essential to the user experience." Also, starting sometime in 2017, the browser will require click-to-activate approval from users before a website activates the Flash plugin for any content. In a blogpost, the company writes:Mozilla and the Web as a whole have been taking steps to reduce the need for Flash content in everyday browsing. Over the past few years, Firefox has implemented Web APIs to replace functionality that was formerly provided only by plugins. This includes audio/video playback and streaming capabilities, clipboard integration, fast 2D and 3D graphics, WebSocket networking, and microphone/camera access. As websites have switched from Flash to other web technologies, the plugin crash rate in Firefox has dropped significantly. [...] We continue to work closely with Adobe to deliver the best possible Flash experience for our users.
This discussion has been archived. No new comments can be posted.

Firefox To Block Non-Essential Flash Content In August 2016, Require Click-To-Activate In 2017

Comments Filter:
  • by HBI ( 604924 ) on Wednesday July 20, 2016 @01:30PM (#52548161) Journal

    Too much trying to think for me, without being able to turn the behavior off. Firefox and PKI is an absolute abortion. Now they are going to make people's lives more difficult vis a vis Flash because of some religious reason.

    Way to grow that market share!!

    • by gQuigs ( 913879 ) on Wednesday July 20, 2016 @01:32PM (#52548169) Homepage

      Chrome has done the first part of this for over a year...

    • by Anonymous Coward

      You do know about:config still exists, right? Because it sounds like you do not.

      • by HBI ( 604924 )

        OK, you enable "accept any certificate" in about:config, right now. I'll be waiting...while Firefox denies connection to old devices, with not a thing to be done about it.

        Knowing what you're talking about is a prerequisite for being snide.

        • Indeed. Firefox has had the ability to "Ask to activate" a plugin for a long time. I have had Flash set to this for years now. They could have made this the default for Flash, when either Firefox or Flash is first installed.
    • And what browser are you going to end up on? Because every sane modern browser is moving to 'Click to Activate' for Flash at the very least, and many other plug-ins as well.
      • by HBI ( 604924 ) on Wednesday July 20, 2016 @01:38PM (#52548239) Journal

        Pale Moon with Noscript. When they decide to start thinking for me, i'll look for another browser...

        • Then soon you won't have a browser to use.
        • Pale Moon with Noscript. When they decide to start thinking for me, i'll look for another browser...

          Explain how the browser is "thinking for you" by discontinuing support for something. Firefox is free software. Fork it and support Flash yourself if you care so much. Mozilla doesn't want to waste the resources on a plugin that causes problems for millions of people.

          • by HBI ( 604924 )

            The fact that you drank the kool-aid and think Flash is the problem is why you aren't seeing what's wrong with a browser discontinuing support for something that is still a presence on the Web.

            • by Aaden42 ( 198257 )
              The fact you drank the kool-aid and think Flash is anything other than a problem seems to be the problem here.
            • I think I see the problem here. HBI, for whatever delusional reason, believes that Flash is still useful. I think he was projecting when he talked about killing Flash for religious reasons.
              • I use it for work, just like Java. And by that I mean I have customers that use these plugins for essential tasks and without a browser to run the plugins, these customers are left out on their ass. For instance, I'm currently logged in to a customer's system through a browser based Java RDP client. They do not have other options. They don't have the resources to purchase other options. They don't have the IT staff to implement other options. What they have works. In order to make it continue working
                • For instance, I'm currently logged in to a customer's system through a browser based Java RDP client. They do not have other options. They don't have the resources to purchase other options.

                  There are a whole bunch of other options, many of which are free, including Microsoft's own downloadable RDP client. If you want people to buy your story, you're going to have to expand on that.

                  What they have works. In order to make it continue working, I need to have a browser that can use the plugin or create a VM with the supported browser and plugin installed and auto-update disabled on the browser.

                  Oh, so the way they are doing it now is the only way to do it? I think they should hire someone else.

            • The fact that you drank the kool-aid and think Flash is the problem is why you aren't seeing what's wrong with a browser discontinuing support for something that is still a presence on the Web.

              Are you denying that Flash has been the vector for numerous security exploits?

              • I don't see HBI saying anything of the sort. They're saying that browsers discontinuing support and thus making content on the Web inaccessible to their users is a bad thing.

                And they're absolutely right.

                The trend for modern browsers to drop support for any standard more than five minutes old, and in doing so cut off huge amounts of valuable content developed over multiple decades, is exactly the opposite of what the Web is supposed to be about.

                • The trend for modern browsers to drop support for any standard more than five minutes old, and in doing so cut off huge amounts of valuable content developed over multiple decades, is exactly the opposite of what the Web is supposed to be about.

                  Right on. When the WWW was conceived in Tim Berners-Lee's head, I'm sure the very first thing he salivated over was all of people whose bank accounts were jacked via Flash-transmitted malware.

                  • Flash hasn't been a favoured form of malware transmission for years. There are much easier targets these days, with click-to-play protection for plug-ins now being the norm in all major browsers.

                    Meanwhile, millions and millions of people still benefit from Flash apps every day, and all of those people are going to lose out.

                • by bheerssen ( 534014 ) <bheerssen@gmail.com> on Wednesday July 20, 2016 @04:00PM (#52549205)

                  Flash isn't any sort of standard except in the limited sense that it is used on a lot of web sites. It's a proprietary, closed source plugin and application; the precise opposite of a standard. This so-called "standard" exists solely at the whim of one company, Adobe, and they can do whatever they wish with it without regard to its users or anyone else. For instance, they dropped Linux support a few years ago without any input from the community.

                  In my opinion, Flash is an abomination that can't die soon enough. The same goes for Microsoft's Silverlight.

                  • by Anonymous Brave Guy ( 457657 ) on Wednesday July 20, 2016 @04:45PM (#52549447)

                    Flash isn't any sort of standard except in the limited sense that it is used on a lot of web sites.

                    And, until recently, more widely available and consistent across platforms than just about any official web standards other than HTML 4, CSS 2.1 and HTTP. In other words, Flash was a standard in the only way that really matters: it worked the same almost everywhere. Which, by the way, is far more than can be said for many of the new shiny toys that are supposed to replace it.

                    It's a proprietary, closed source plugin and application; the precise opposite of a standard.

                    Well, for one thing, that isn't anything like the precise opposite of a standard.

                    As for proprietary, closed source, and running as a separate process, have you looked at how HTML5 video works on iOS lately? Or the uses of EME, which is now a W3C standard? Or the number of different encodings you need to create to do something as simple as playing a video across most browsers in 2016, compared to the exactly one you needed with any number of Flash video players before?

                    This so-called "standard" exists solely at the whim of one company, Adobe, and they can do whatever they wish with it without regard to its users or anyone else.

                    How is that fundamentally different to all the major browsers pushing substandard HTML5 features instead because Google decides Chrome will do so and everyone else apparently feels the need to emulate them? Meet the new boss, same as the old boss (except that now you can't even see what the old boss was like any more because all the records are inaccessible).

                  • Flash isn't any sort of standard except in the limited sense that it is used on a lot of web sites.

                    AKA de facto standard.

                    Proprietary and standard are orthogonal.

              • I am because those "flash Exploits" are damned near all executing JavaScript which is the REAL threat here, you get rid of that stinking pile of offal that is JavaScript? I seriously doubt flash or any other plugin would be a problem.

                Oh and lets not kid ourselves about Flash being dropped, mmkay? It didn't have shit to do with security it had to do with Apple not wanting games running outside the iStore and because all the content creators kiss the iAss for fear of not getting a shot at the iMoney they went along with it.

                And what did we get to replace it, A proprietary as fuck DRM filled mess that is HTML V5 which is practically a love letter to Apple and MSFT...yeah because THAT is progress. say what you want about Adobe but 1.- they let anyone bundle flash into any OS, be it FOSS or proprietary, 2.- They even allowed FOSS alternatives like gnash to be developed...you think MPEG-LA is gonna tolerate that shit with H.265?

                Lets face it the whole thing is a giant clusterfuck right now, with the corps racing to see who can make HTML V5 the most nasty and content creators cheering all the way because God forbid they offend the great and mighty Apple. Mark my words in 5 years you'll be BEGGING for something like Flash because all we will have is paywalled DRM content with unskippable malware ridden ads and none of it will play unless you are on the latest corporate approved OS.

            • I usually assume it is all a conspiracy to prevent me from accessing government precipitation analysis and weather radar data.

            • The fact that you drank the kool-aid and think Flash is the problem is why you aren't seeing what's wrong with a browser discontinuing support for something that is still a presence on the Web.

              The fact that you think a browser is discontinuing support for something for which they are not discontinuing support

            • Flash is, and has been, a major, if not the biggest vector of attack in browsers since its inception. It has since its birth in the pits of hell been an ill-bred monstrosity, a cancer. It should have been euthanised long ago.

              Companies that still use it for their ****ing "presence on the web" deserve to die the horrordeath of Doom.

              These are not pesky little factoids you should leave out when you give an answer like that.

        • by Merk42 ( 1906718 )
          Well by the very nature of Pale Moon (or any program) having any configurable preference set to any default value, I guess it already is 'thinking for you'.
        • Pale Moon with Noscript. When they decide to start thinking for me, i'll look for another browser...

          You are severely overdue to find a new browser then. Remember when Pale Moon wouldn't let you visit sites with weak certificates? They eventually backpedaled on that, but if you weren't lying, then you wouldn't be using Pale Moon any more after that.

    • Now they are going to make people's lives more difficult vis a vis Flash because of some religious reason.

      ...
      Right, "religious reason." Surely it has nothing to do with the fact that Flash has probably been the biggest security blackhole of all time.

      • by HBI ( 604924 )

        No it isn't. Windows failure to segment "Administrator" from "General Purpose User" for most of the last 25 years is. Flash is way down on the list. And besides which, this is a shitty way to enforce security. Click through access does nothing for security whatsoever except make people feel good. The user gets used to clicking through without thinking and you have the same vulnerability anyway.

        • No it isn't. Windows failure to segment "Administrator" from "General Purpose User" for most of the last 25 years is. Flash is way down on the list. And besides which, this is a shitty way to enforce security. Click through access does nothing for security whatsoever except make people feel good. The user gets used to clicking through without thinking and you have the same vulnerability anyway.

          I won't disagree with you on the Windows part, but click-to-access does have some purpose. At least then the browser will only use Flash for something the user explicitly requests like a game, rather than it automatically running in the background for God-knows-what.

        • by lgw ( 121541 )

          No it isn't. Windows failure to segment "Administrator" from "General Purpose User" for most of the last 25 years is.

          "Windows killed my Pappy!"

          MS fixed that shit almost 10 years ago. FFS, enough already.

          Click through access does nothing for security whatsoever except make people feel good. The user gets used to clicking through without thinking and you have the same vulnerability anyway.

          People are unlikely to "click through" ads, which is 100% the point here. YouTube is already ready for a post-Flash world. It's the advertising industry that needs a kick in the crotch (not that that will every be untrue, but here there's even more reason).

        • Click through access does nothing for security whatsoever except make people feel good. The user gets used to clicking through without thinking and you have the same vulnerability anyway.

          Well, this is the dumbest thing you've said in this thread. What about the hidden flash apps the user never even sees? What about flash banner ads that the user is almost certainly not going to click to see what they are?

    • Not to mention Flash is NOT the danger...its JavaScript.

      I can surf all day long with Flash on a JavaScript disabled browser without a care in the world because even the flash exploits are using JavaScript but if you surf without Flash but allowing JavaScript without Adblock or even better NoScript then guess what? Its gonna get pwned.

      So until we deal with the stinking rotting elephant in the room that is JavaScript and kill it deader than the blink tag? Then all this shit is for naught, its just a waste

    • Haha, you said PKI.
      Have hilarious memories here of ten years of continuous failure over PKI.
      Thanks.

  • Too damned late. (Score:5, Insightful)

    by Sable Drakon ( 831800 ) on Wednesday July 20, 2016 @01:32PM (#52548175)
    Mozilla should have made 'Click to Activate' the default behavior years ago. I've been running with that option toggled on for a few years, and it's never been an issue. If it's running Flash, I don't fucking want it turning on all by itself.
    • I've been doing the same thing. I can't stand websites that have silly Flash BS going on that I can't do anything about. I used to use NoScript to stop that, but now that it's built-in, it makes life so much easier.
      • I wanted to like NoScript, but it broke way too much shit. Click to Invoke Flash and UBlock Origin take care of easily 99% of my problems without making a website unusable or requiring per-site whitelisting.
        • It did get a bit tedious using it after a while, but at the time I figured "better safe than sorry" and was all about locking down sites I had never been to before(I used to find some pretty sketchy sites to stream UFC fights) I'm not so anal about site scripting anymore, and adblock is the main reason for that.
    • Mozilla should have made 'Click to Activate' the default behavior years ago.

      I have flashblock installed, but I have found that some websites (eg. Pandora) won't work with this configuration, so I have a special profile without flashblock that I use just for Pandora.

      • Flashblock works? There was a time it was dead, had to use ad blocking instead.
        When it did work, there was a whitelist feature that worked.

    • by Kkloe ( 2751395 )
      having a click to activate will make it easier for malware, as people will just click and dont think, most dont want to be bothered and this will bother people to just click and not think

      it will be even better\easier for sites with malware to be spread as they know can have: click here to activate flash and then it starts a download\exe\whatever to hijack the browser\computer
  • Firefox is dead. Political correctness in Mozilla killed it. Too many wanking hipsters write software these days instead of riding their bicycles.
    • Firefox is dead. Political correctness in Mozilla killed it. Too many wanking hipsters write software these days instead of riding their bicycles.

      Blocking an enormous security hole is "political correctness"?

      Did you flip this much of a shit when HTTPS was pioneered?

      • Probably still uses IE 7.
      • by Anonymous Coward
        When people start derping about "political correctness" you can tell they're not reality-based people. It's what stupid people complain about when asked to not act stupid. Most of the stuff decried as "political correctness" is simply not being an asshole, but that's too much for a lot of people, so now some dead-end subcultures consider being an asshole to be one of their "values", and being a decent person to be the worst thing in the world. See the dumpster file in Cleveland as an example of where rea
  • by gQuigs ( 913879 ) on Wednesday July 20, 2016 @01:33PM (#52548181) Homepage

    I've been pushing for this for quite a while. Especially for us Linux/Firefox users, the EOL of Flash is coming up fast and we need to be ready for it.

    • by HBI ( 604924 )

      The EOL date for technology is controlled by the users, not the manufacturer.

      • If this were true, you'd have most people still running Win98 or XP. Software makers and hardware vendors DO control when things are EOLed.
      • The EOL date for technology is controlled by the users, not the manufacturer.

        That's true for free software that can be forked when it's no longer maintained. But for proprietary software like Flash, the EOL is when the owner stops supporting it.

        Flash is a particularly egregious example since its design is inherently insecure, but at at the very least Adobe still issues patches for the publicly known vulnerabilities. That won't be true forever.

  • by OfficeLackey ( 4603645 ) on Wednesday July 20, 2016 @01:33PM (#52548183)
    Click to run should be the standard for all browsers and multimedia plugins. It's just safer that way. (Though advertisers will hate it...)
    • Mod up.
    • Fuck advertisers. If their ads weren't vehicles of lag, viruses, and obnoxious shit we wouldn't need to restrict them with Flash blocking or ad-blocking.
      • Without advertisers, there is no Internet, just a small network of subscription sites, so let's not fuck advertisers.

        With a decent connection, lag isn't an issue, but malware and obnoxious shit sure are. The big problem with Flash ads is the payloads they deliver, such as ransom-ware. Flash isn't a security hole that you can just leave open because you're unable to change with the times. It will totally screw you eventually.
        • by Anonymous Coward

          I am not sure if I care any more. The advertisements have gotten so obnoxious, so in-your-face that having a blocker is almost a requirement. The ones I hate the most these days are things that auto-play a video 5 minutes after you open the page, so you are frantically looking through all of your tabs to see which (*&*(& site is trying to feed you a (*&(&*& commercial.

          And when you say "with a decent connection", you don't always control that. For example, your phone might get a good c

        • Some of us liked the internet before the Crisis of Infinite Septembers.

          The rest of you whippersnappers can get off my lawn and take your damn billboards with you.
    • Control Javascript (Score:2, Insightful)

      by Anonymous Coward

      I agree with "Click2Run should be standard", but that's not enough.

      Mozilla writes:

      But plugins often introduce stability, performance, and security issues for browsers. This is not a trade-off users should have to accept.

      Well Javascript is the single biggest factor which "often introduces stability, performance, and security issues for browsers" . And to use Mozilla's words, this is not a trade-off which users should have to accept either. Why Mozilla does nothing to control and limit the impact of the pr

      • by naris ( 830549 )
        Blocking JavaScript is OK if you are browsing geocities sites using your dial-up modem. However, if you want to use any modern website, you need JavaScript as JavaScript is the *only* way to have anything other than a simple HTML only static website.
  • "We continue to work closely with Adobe to deliver the best possible Flash experience for our users." Problem found.
  • Never even noticed, are there any essentials sites that use flash?
    • vSphere vCenter Web Client requires Flash. You read that right a tool essential to managing today's server environment requires you to install Flash on your management workstation. Even better the newest version has features that can only be accessed through the Web Client.

      Much fun explaining to your security guys that you have to have the security-challenged Flash plug-ins on that machine.

    • Much of the free government GIS data, and mapped weather data, radar, etc.

  • by Anonymous Coward

    An annoying new trend: sites that pop up a window when you click to close a tab. The most innocuous ask if you really want to close the site. (I just said I did, didn't I?) Others lock you in an unclosable (short of a three-finger salute) page with the scam "your computer is infected, you must call xxx-xxx-xxx to resolve the problem" which I'm sure will phish for a CC number to "fix your problem." Anything that pops up after you choose to close and demands a response from you is likely malware. (Who kn

    • It's not even just when you click to close a tab, which would be obnoxious enough. Lots of pages announce their abandonment issues as soon as you move the mouse pointer to the tabs to toggle between tabs. This often leads me to close their tab, instead of leaving it to read later.
  • The last two flash installers have just hung forever on my system, so I'm not even watching anything that requires it right now. Maybe later, if Adobe figures out how to lay some files down on a Windows box. I'm not holding my breath. They become less competent with every passing hour.

    • Adobe still makes great authoring tools, it's just that Flash is now a depreciated technology, so they put little to no effort into it these days.
      • Adobe still makes great authoring tools, it's just that Flash is now a depreciated technology, so they put little to no effort into it these days.

        If they want people to care about their authoring tools, they're going to have to put in some more.

    • Flash 11.2 on linux still works. I would wonder about the Ubuntu on Windows 10 thing : run Firefox's linux version and Flash 11.2, coming through apt-get upgrade?

      • by steveg ( 55825 )

        For the immediate future, Ubuntu on Windows will be command-line only. I don't know if graphical apps are on the roadmap, but they're not scheduled for immanent release.

        • Third parties have already hooked WSL up to X11 [slashdot.org]

          I'd prefer if Qt and Gtk+ programs were diverted via pluggable shared libs to use their Win32 backends and bypass X11 altogether but that's an exercise for the reader.

          • That's nice about X11, I don't think it cares that your OS is "command line only" or not.
            There are several X11 servers for Windows, which can run graphical apps on your "command line" linux or Unix.

  • Flash deprecation (Score:5, Informative)

    by whoozwah ( 4223029 ) on Wednesday July 20, 2016 @02:06PM (#52548439)
    Good. Maybe next people will stop requiring javascript too. Too many sites require javascript to be enabled just to click on a damn link.
    • That's probably so they can log your click. You can choose to allow them to do that, or just ditch their site.
    • Luckily there is an information glut. Just try a different site; use their suckage as part of the selection process. People who can't be bothered to build sites that degrade gracefully usually have other problems in their information transmission process anyways.

  • Exactly what is ESSENTIAL FLASH CONTENT? Wouldn't that be an oxymoron, like decorative manure?
  • by Anonymous Coward

    firefox crashes less often.... half as often compared to 16-18 months ago... but "no!" it's not because they're actually writing better code and fixing bugs... it's because youtube is using flash less often. the firefox code itself is actually worse now.

  • I already have it set to click to play Flash. Fuck Flash
  • To this day, if you want to watch National Weather Service radar images on a loop (just in case you would like to see the tornado intent on killing you, and you're locale isn't worthy of live coverage in the nearest media market), you still have to use Flash.
  • Seriously I have been using flashblack on Chrome for years now and run adblock plus on IE for a year two as well.

    Flash is truly terrible and a risk.

  • Over the past few years, Firefox has implemented Web APIs to replace functionality that was formerly provided only by plugins.

    But will they play Badger Badger Badger [badgerbadgerbadger.com]?

    Until that can be emulated on the "replacement functionality", removing Flash is a fundamental impact on the Internet Experience. ;-)

  • I was arguing with a graphic artist who I basically called a complete tool. He keeps making flash dominated sites for his clients. They look good but I was strongly arguing that he was screwing his clients as fewer and fewer people have flash on their internet thing, and that number will only keep falling. More importantly is that richer people with newer devices are even less likely to have it.

    He kept quoting 2001 era stats about it having 98% penetration.

    He is the perfect example of someone seeing th

A company is known by the men it keeps.

Working...