

Firefox to block content based on Java, Reader, and Silverlight - sk2code
http://arstechnica.com/security/2013/01/firefox-to-block-content-based-on-java-reader-and-silverlight/

======
AgentConundrum
I think this was first introduced in version 15 or 16, and I've been using it
almost ever since. It was an opt-in feature (had to be enabled manually in
about:config [1]), and it wasn't without issue. It was bad enough that I
temporarily disabled it for a while until the next time Firefox upgraded.

The problem was that you had to, as the article says, "click" to play content.
This was fine on YouTube, Netflix, etc., since there was a very obvious visual
cue about how to activate your content [2]. However, not all sites had such
obvious cues. SoundCloud, for example, would just silently fail, and I would
have to manually disable the feature to get it to play (in practice, I just
loaded the URL in Chrome).

Since Firefox 18, this has been much better. Now, there is an area next to the
address bar that you can use to enable content, even if there is nothing on
the actual page that you can click [3]. When you click this area, a pop-up
appears asking which plugins you would like to load, and if you would like to
always allow plugins on that site.

This pop-up is hidden for the most part, and isn't trivially discoverable[4] -
something Mozilla really needs to work on - but it _does_ pop-up the very
first time you encounter a page with blocked content (per Firefox session, it
seems), so there is at least _some_ notification that you can unblock content.

If they're planning on having this feature enabled by default, I really doubt
it will be the end of the world for most people. They'll just click the
notification, and play through.

[1] Set the value of `plugins.click_to_play` to `true`. If it doesn't exist,
create a new Boolean value for it, setting the name/value as above.

[2] <http://i.imgur.com/jhxqoJ9.png>

[3] <http://i.imgur.com/RNXw1JO.png>

[4] Admittedly, this could be because I'm using a non-default theme on my
install, so perhaps this is more obvious by default. I haven't checked.

~~~
Osmium
> SoundCloud, for example, would just silently fail, and I would have to
> manually disable the feature to get it to play

SoundCloud have actually since added a detector, and will warn you saying "It
looks like you have a Flash blocker browser setting or extension. Please
enable Flash to hear sound." Also, whereas before the Flash element was
invisible, now there's a target to click on if you do have Flash content
blocked. Very well done actually.

~~~
AgentConundrum
> Also, whereas before the Flash element was invisible, now there's a target
> to click on if you do have Flash content blocked.

I saw that warning earlier today when I made my comment (note that the
screenshot of the enabler pop-up shows SoundCloud as the URL), and thought
maybe I had just missed it before.

Alas, I just tried an actual sound page, and the result was as before. I
didn't see any "click to play" items, and clicking around the page (on obvious
targets like the Play button, and less obvious targets like the progress bar
and times) revealed nothing either. Where do you see the new target?

------
LeafStorm
Besides the obvious security benefits, this also makes sense as part of
Mozilla's HTML5 campaign. By getting users to think of plugin-based content as
"foreign" and "inconvenient," they bolster users' opinions of pure Web-based
content. However, by allowing a simple clickthrough, they hopefully prevent
users from just getting frustrated and switching to Chrome.

~~~
Silhouette
The trouble is that many new web technologies, including those that certain
groups (particularly Apple, Google and Mozilla) are pushing as "replacements"
for older technologies, aren't actually as good as how we used to do things.

For example, HTML5 audio and video work up to a point, but compared to Flash
players they are onerous to support because of different data formats and
limited in their functionality.

Of course, Flash has other uses, too. It was very annoying recently to find
that _none_ of the popular weather services I wanted to check during the
recent cold spell here in the UK were fully accessible from my iPad, because
they _all_ used Flash for their interactive maps. And it wasn't the weather
services I was annoyed with, it was the £500 paperweight that couldn't even do
stuff that worked in IE6 on a 10-year-old computer.

Likewise, things like canvas and SVG are fine up to a point, but they offer
relatively limited drawing functionality compared to a Flash or Java applet,
and the available functionality differs widely across browsers. And of course
in Java's case, you can write an applet in several modern JVM-hosted languages
that are vastly superior to Javascript for implementing non-trivial
visualisations, and with much faster performance than even the best current
Javascript engines.

Give up plug-ins and use HTML5 and Javascript. Brought to you by the people
who said we should use CSS instead of tables but then couldn't implement
trivial grid layouts, or maybe by the guys who said we should use CSS instead
of graphics but then complained that everyone's buttons looked like Bootstrap.

------
brudgers
Mozilla has developed a PDF reader addon for Firefox using javascript. I've
been running it for about a week as my default PDF reader. It's been
acceptable for my needs.

<https://addons.mozilla.org/en-US/firefox/addon/pdfjs/>

~~~
Ygg2
Interestingly they are working on a JS version of flash called Shumway[1], so
maybe, just maybe future FF (or even Chrome if it works there) will be able to
translate Flash to JS, for your iPads and whatnot.

[1]<https://github.com/mozilla/shumway>

------
kfcm
Please tell me this click_to_play can be completely disabled in about:config.
The PDF thing is going to be a nightmare for clients of mine who have
researchers going to different university, research center and journal sites
(repositories) for papers and articles.

Yeah, a user can disable the check for certain sites, but when you have
hundreds of such repositories...you get the picture.

~~~
whyenot
Firefox 19 has it's own built in PDF viewer. You don't need the Adobe Reader
plugin to read PDFs anymore.

------
zokier
I never understood the point of having Reader in the browser. It's not like
Flash or Java that is fairly common to be inline with other content. Is there
some sites that legitimately use embedded PDFs?

I always found it more convenient to open PDFs in stand-alone Reader instead.
Sure, it takes one mouse click more, but on the other hand the browser remains
usable while the Reader loads and you get full-featured Reader instead of the
gimped plugin.

~~~
michaelt
The IEEE journal website likes to display PDFs in an iframe. I'm not sure why.

~~~
JadeNB
As with all other embedded content, I believe that PDF providers sometimes
think that they can prevent downloading of the files by serving them to the
browser in some weird way. (This probably doesn't describe IEEE, but I
certainly have seen sites where, whether the designers intended it or not, I
have to go through contortions to download their PDFs.)

------
mehrzad
Firefox needs to become the most well-liked browser again, because it's the
best and using it is for the Greater Good.

~~~
chii
I'd like to know what measure you are comparing FF with other browsers?

~~~
mehrzad
The fact that it's OSS, addons, customization capability, JS engine, and
mostly, privacy/security.

~~~
drivebyacct2
All of which are true of Chrome?

~~~
verroq
I think you meant to say Chromium.

~~~
lloeki
Depends on the trust you place on Google, as opposed to the whole web. Hence,
"mostly".

------
kfcm
And just thinking about businesses who may still be running "fat" business-
required (if not critical) webapps in Java and Flash. Upgrades are cost and
time prohibitive, and clicking each time a user wants to start may alienate
people.

~~~
lloeki
> _clicking each time_

once, in the navbar, and whitelist the business-required site.

~~~
jtheory
Well, but the recent fix to Java was to force the user to click through a
prompt from the Java plugin itself; so once the user tells Firefox that yes, I
want this dangerous content to run, they get another warning about dangerous
content from Java.

If they manage to click through everything correctly and whitelist the site,
they're good to go, but I suspect many of my users are going to get at least
part of it wrong the first time through.

And of course, the noise about Java security is already breaking things -- for
example, a few days ago I got an email from a teacher whose school paid me a
$600 for a Java-applet based site subscription... at the same time as their IT
department completely uninstalled Java from their school computers.

So now I either have to convince their IT department directly to re-install
Java, or refund their money; whoops.

~~~
lambda_cube
I don't think you should have to do neither convincing the IT department nor
refunding them. One part of their organization chose to order the Java applet
solution from you and another part of their organization chose to uninstall
Java. The fact that they ordered a solution that they can't use isn't your
fault. If they want you to use your time to work out a solution with the IT
department how the applet can be used securely I think they need to pay you
for that time (charge per hour for that, if the IT department is stubborn they
have to pay more).

------
serge2k
Will go ever well when Netflix suddenly stops working.

~~~
jevinskie
You mean when people click to activate and think nothing of it?

~~~
jiggy2011
Hopefully that won't train people to just click "activate" everywhere.

OTOH hopefully this will convince netflex etc to migrate away from reliance on
silverlight and we can have something that works on Linux without a load of
wine hacks.

------
csense
They should block Flash, too.

~~~
TazeTSchnitzel
Click-to-play for Flash in Chrome and Firefox would kill flash banners
overnight.

~~~
Ygg2
Somehow the ad industry would manage (gifs, bundled ad in stream, etc.), and
killing flash banners is a good thing, those things are annoying.

~~~
jiggy2011
Hellooo animated JS WebGL banners that crash your entire machine..

------
lucian1900
Chrome's UI works great for this. You can either click-to-play and click a
little icon in the url bar to control plugins for that domain. That makes it
easy to deal with flash elements used only for sound.

------
javajosh
It's sad that after all this time the official Java plugin isn't even secure.
I mean, we all knew years ago that it wasn't very _useful_ , but it's
insecurity just adds insult to injury. The Sun has truly set. :(

~~~
jtheory
It's incredibly useful, if you need functionality that's not yet supported in
the range of browsers that people use.

I'm pretty sure I can't handle MIDI and audio input, do pitch detection, show
animations synched with generated audio, etc. in JavaScript on IE6 (and only
parts of that are possible in _any_ browser) -- but I can do it with a Java
applet.

Or, I could; my site is obviously starting to suffer from the reliance on
Java, and every few days the news seems to get worse.

~~~
martinced
IE6? Man... It's 2013.

~~~
jtheory
Not everyone can choose their browser -- either because they're still running
Windows 98 and can't afford a new computer, or (more likely) because they're
part of a large organization that can't afford to upgrade due to huge past
investments in aging tech.

I actually deal a lot more with IE6/7 in my main job (users in the NHS) than
for the music theory site, but to my main point above -- there are plenty of
audio features that are just now starting to be possible in Chrome (no other
browser, yet); that's simply not useful in the context of real, normal-people
users.

------
yycom
This needs to be done for javascript as well.

