
Mozilla may make Flash click-to-play by default in future Firefox - mbrubeck
http://arstechnica.com/open-source/news/2012/04/mozilla-may-make-flash-click-to-play-by-default-in-future-firefox.ars
======
CoreDumpling
I welcome this move, despite the possibility of some fallout from the change.
It'll be painful, but even as someone who once made a living writing
ActionScript, I have to say that Flash is sufficiently annoying and insecure
that it really needs to be phased out.

In the short term, this will probably cause some breakage in certain sites
that try to use Flash "transparently" and "unobtrusively" for things like
LSOs, drag-and-drop, clipboard access, or cross-domain XHR. These are already
problematic with Flashblock installed though -- Pandora, for instance, refuses
to load and there is nothing available to click-to-play since that particular
Flash object is hidden.

Hopefully this will light a fire under those sites and get them to update to
the appropriate HTML5 methods of doing these things (local storage,
WebSockets, etc.), just like how Java applets that were used for such things
have been largely phased out. Until then, however, I wouldn't be surprised if
some of them simply inform you not to use Firefox to visit.

~~~
mistercow
To take care of the invisible Flash object problem, Firefox could copy what
Chrome does for Java applets and have a bar pop up at the top of the whole
page, asking if you want to allow Flash to run on the site in question.

~~~
pdenya
If only Chrome did this with it's current click to play implementation

~~~
strager
It does, though not with the same UI as the Java plugin:
<http://i.imgur.com/xHrRX.png>

Clicking the puzzle piece shows a menu to "always allow" or to "enable all
Flash applets on this page" (and a few other things).

I can see a more obtrusive/apparent UI being implemented if Firefox makes
click-to-Flash default.

~~~
mistercow
That's not the same interface that I was referring to. I was talking about
this: <http://i.imgur.com/8lzif.png>

~~~
notatoad
it's not the same appearance, but it's the same functionality.

~~~
mistercow
No it's not, because if the Flash object is invisible, it simply does not give
you any way to enable them unless you go to the preferences and explicitly add
an exception.

This was my entire point in the first place, if you look up at the beginning
of the thread. For example, turn on click-to-play and then go to pandora.com.
If Chrome treated Flash the same as Java, you would still be able to use
pandora easily.

~~~
notatoad
read his post again. he's not talking about the click-to-play ui. there's a
puzzle piece icon in the taskbar. clicking it displays a drop-down menu, and
even if the flash is invisible you can choose the "enable flash on this page"
option.

~~~
mistercow
Ah yes, I see now.

------
potatolicious
I am so happy that I can barely contain myself. Hopefully this means Flash
will now be used for important things, instead of shoving ads in my face that
I can't dismiss, and follow my scroll bar.

~~~
krakensden
You say that now, but just wait until they're written in JS+Canvas and
enormously more difficult to block.

~~~
w1ntermute
Yeah, HTML5 YouTube has the significant disadvantage of autoplay.

~~~
Zirro
There's nothing preventing you from blocking HTML5-video just like Flash can
be blocked with add-ons today. Personally I use NoScript for that.

------
keeperofdakeys
The problem is some uses of flash doesn't put any flash controls on the
webpage. Mainly for audio related uses, like audio players (mixcloud), or
games (since html5 audio still has some work to be done). Chrome gets around
this with an icon in the urlbar, and an option "Run all plug-ins this time".
If firefox wants to make click-to-play the default option, I don't think this
is going to cut it. The only two options they have are to only click-to-play
visible plugins (but this is really hard to detect), or give a popup. The
popup might work for most users, but some are just going to get confused. In
fact, I don't know if most users will read the place-holder for click-to-play
in general, or just go "why isn't youtube working".

~~~
obtu
There's an “enable plugins” icon at the left of the location bar when the page
contains those. It's a bit less visible than the one for pop-ups, but at least
it's in an area that can't be spoofed.

------
artursapek
Oh man, bad memories. I used to get so frustrated with Internet Explorer* for
doing this about 7 years ago. I was young then, 12 or 13, and had just gotten
Flash for my birthday. I know it had to be 2004 or 2005 because the version
was Flash MX 2004. I was young enough and it was long enough ago that I think
I was using Internet Explorer primarily, and got _terrible frustrated_ when
they started using this default click-to-play behavior on _my_ Flash
creations. How dare they! It took me long enough to figure out how to embed
them (I remember I tried using the <img src="" /> tag with a .swf file. HAHA!)

It was something to do with an "ActiveX control," I don't remember anymore.
But you should have seen how angry it made 13-year-old-me, because my loud,
annoying Flash creations had to be allowed their obnoxiousness by every user.
Anyway, the point is I approve. :)

* I'm pretty sure it was IE, could be remembering wrong.

~~~
talmand
I remember that, I believe it was the result of a patent lawsuit. Something
about a company had the patent on the concept of embedding assets into the
page and automatically starting on page load, or something like that.
Microsoft's response was to force the click-to-play mechanic to get around it
and then people figured out how to get around that. I don't recall any other
browser having to deal with that particular patent.

~~~
artursapek
What a stupid fucking patent.

------
kogir
This is great, really, but I'd like to see something more aggressive:

Non-foreground tabs should be completely suspended - plugins, JavaScript,
media, you name it - unless they specifically request and are granted
permission to run in the background.

~~~
padenot
Quite a lot of webpages need js to initialize themselves, these days, and I
want them to load in background when I middleclick on a link. You probably
want (at least some) websites to perform XHR when not focused (to update a
news stream or something). I find an opt-in behavior on such a common feature
a bit to hard, as a lot of website rely on that.

setTimout and friends are throttled (at least in Firefox) to fire at most once
every second, so you won't burn your battery having a graphic demo in the
background.

~~~
kogir
Actually, I'd only white-list Gmail and maybe Twitter. I'd prefer it if most
site just served HTML to begin with.

I run with JavaScript and Cookies disabled unless white-listed, and just leave
the majority of pages that won't load. Techcrunch, Engadget, and most news
sites are so much faster without JS.

I might be ok with a timeout - after 30 seconds of no interaction from me,
suspend the tab. Would that address your objection?

~~~
padenot

      I might be ok with a timeout - after 30 seconds of no 
      interaction from me, suspend the tab. Would that address
      your objection?
    

There has been experiments to do that
(<https://bugzilla.mozilla.org/show_bug.cgi?id=675539>), and an (experimental)
extension brings you this behavior (<https://addons.mozilla.org/en-
US/firefox/addon/dormancy/>), but hasn't been updated in a while.

Actually, this completely unloads the page from memory, which is not exactly
what you ask for.

------
replax
Very good Idea I think. Flashblock is one of the most useful plugins to me
right now. Although I think that mozilla will definitely have to implement a
very easily accessible whitelist to go along. Otherwise, it will become
slightly annoying for people with slow internet connections who rely on
loading e.g. loading videos while surfing in another tab and the like.

------
ck2
Not just flash, all plugins, which is a good security idea, considering how
Microsoft likes to slip in theirs via windows update.

I see the setting in FF12b5 but not sure if it works yet.

~~~
mbrubeck
The about:config setting currently works only in Firefox 14, available on the
Nightly channel: <http://nightly.mozilla.org/>

~~~
yuvadam
False. Already works for me on FF12b4.

~~~
mbrubeck
I should have clarified that the pieces of the implementation landed starting
in Firefox 11, but key bugs like <https://bugzil.la/730318> weren't fixed
until Firefox 14. It won't work correctly on all pages in earlier versions.

[I'm a developer of Firefox for Android, which has click-to-play enabled by
default starting with version 14.]

------
seanp2k2
Adobe has proven time and again that they cannot produce secure software. Down
with Flash, and down with Reader. These two pieces of software seem to be
responsible for millions of malware infections and thus tons of spam and fraud
online.

The world would be a better place without these two Adobe products. Their
/content production/ software is amazing, and they should just stick to that
IMO.

------
afhof
I am quite pleased with this idea. This is what NoScript does by default and
pages load noticeably faster. In requiring flash objects to be clicked first
provides a increased protection against the all too common Flash zero day
exploits.

------
msujaws
This is the original blog post that I wrote in case you are interested:
[http://msujaws.wordpress.com/2012/04/11/opting-in-to-
plugins...](http://msujaws.wordpress.com/2012/04/11/opting-in-to-plugins-in-
firefox/)

------
alwold
I didn't know Chrome already had the option to do click-to-play until I read
this. Very cool, I'm turning it on now.

~~~
RobAtticus
I turned it on a few weeks ago, and after a day or two white listing a few
sites that I use often (Google Music, etc) I've found my browsing experience
much more enjoyable. My computer as a whole seems snappier; although it could
be placebo.

------
rollypolly
As a Flashblock user, I love the idea.

------
pdenya
I rock click-to-play for plugins in Chrome and it's extremely helpful for
browsing speed and enjoyability. No more playing "Which window is that sound
coming from?". That said, there are definite usability problems with the
current chrome implementation that I hope FF improves on. I'd like a "Load all
requested plugins for this page" button. Or a whitelist maybe.

~~~
lucian1900
There's icon in the url bar which you can click to whitelist the current
website, and there's whitelist settings as well.

~~~
SquareWheel
It also has a "run all plugins now" button so you don't have to whitelist if
you just want them to run in that session.

Sometimes this button is necessary if there's a 1x1 flash embed somewhere that
is required for the page.

------
rdw
Great move. I am reminded of Apple's recent Java update[1], which turns Java
off by default, and disables it again after a period of disuse. It moves the
security threat into phishing rather than drive-by territory, a definite
improvement.

[1] <http://news.ycombinator.com/item?id=3834267>

------
leeoniya
i would go one step further and disable all auto-play for audio and video. not
just flash, but html5 as well.

if there is some audio or video designated to play onLoad, notify user and
have them click ok/prevent/mute...etc. it might make for some no-so-seamless
experiences, but the alternative it 90's style animated gif annoyances on spam
sites etc..

------
tallowen
I think the real benefit here would be to block java plugins automatically.
The current implementation blocks both (to the best of my understanding).

Not automatically loading java would be a great benefit to the majority of
users. Its not used on nearly as many websites yet it is responsible for the
lion's share of current security exploits.

------
chrischen
Didn't IE try this and developers got around it by using Javascript to embed
flash?

[http://www.computerworld.com/s/article/9046245/Microsoft_dro...](http://www.computerworld.com/s/article/9046245/Microsoft_drops_IE_s_click_to_activate_nag)

Turns out Microsoft did it because of patent issues.

~~~
yuhong
The plug-in was still loaded and executed. It is just the interaction with the
plug-in that required an extra click.

~~~
chrischen
Yea but I don't recall _anyone_ liking that interaction pattern.

------
electrotype
Make this the default behavior if you want, but add a configuration option to
change it.

In my opinion, there should always be a configuration option associated to a
new feature/behavior like this!

Because in the end that's why I still use Firefox : I can configure it like I
want!

------
JeffJenkins
Is this going to break (or make more annoying) all of the things which use
zeroclipboard[1] to copy something to the clipboard?

1\. <http://code.google.com/p/zeroclipboard/>

------
adamman
Firefox would lose a lot of users if they did this. There are a lot of people
who don't understand plugins and they would probably just find this feature to
be annoying and use IE or Chrome instead.

------
gosub
On a side note: is there an opensource browser who doesn't let a flash
video/embed to steal keyboard focus? I tend to use the kb heavily for
navigation and this behaviour is frustrating.

~~~
boxein
I'd like this too

------
pogosian
This should be done for all kinds of animation like gifs, canvas and whatever
comes next in the future.

Animated ads are the second most annoying thing on the web after embedded
background music.

------
GigabyteCoin
Here's another suggestion: how about an invisible "volume bar" that shows
itself in each tab that is currently playing music?

~~~
user24
This has been suggested often (and would be a wonderful feature). IIRC it's
impossible currently due to the fact that flash runs as a single process and
so you can only control the volume of all flash movies, not individual ones.

------
luminarious
This feature, although turned off by default, has been available in Opera for
some time now. I quite like it.

------
junktest
Great idea. Opera browser made this a long time ago. The innovator that
everybody else copies.

------
zvrba
Great! I'm just wondering why it took them so long: Opera has had this built-
in for ages.

~~~
rplnt
I think the point of the article is "by default". I don't know about Firefox
but chrome has plug-in on demand as well. On linux, I have plugin on demand
enabled in Opera, however on windows I have it disabled due to it's inability
to start hidden flash. For example on Soundcloud. Maybe there's an action for
enabling plug-in on demand that I could put to shortcut but I never got around
to look into it. Anyway, flash on windows is just fine ...when not counting
the adobe vulnerabilities(tm).

------
krsunny
Does that mean random websites would no longer scream "Congratulations, youve
won!!"?

------
renatomoya
This should be default on every browser but hey, we'd kill flash banners this
way.

------
why-el
I already have to click to enable Flash on my Firefox whenever I use Tor. :)

------
citricsquid
How does this affect adverts?

------
m0skit0
Nice move, appreciated!

------
noduerme
For my money, they oughta make Canvas click-to-play as well, since the
rendering speed in Firefox is unbelievably slow and the javascript behind it
is so frequently written to hog up 100% of the CPU it's hard to even know what
you're looking at if you accidentally stumble across an HTML5 page in Firefox,
before your system grinds to a complete halt. It's funny how people blame
Flash for slow websites when what they should really blame is bad coding
practice, which can just as easily show up in JS (and does). To take it
further, it's pretty rare for Flash code to bootstrap a huge set of libraries
to do some petty effect - and if it does, the plugin doesn't freeze the
browser preload while waiting on them. Whereas a 150k JS file that includes
jquery and a bunch of other junk which probably isn't necessary (but makes
coding some effect that much easier for bad programmers) can bring a website
to its knees before the first line of text is delivered in the browser.

Again, don't blame the tools; blame the tools who use them.

~~~
qxcv
Firefox canvas really isn't that slow anymore. Every time they increment the
major version number, I play a couple of HTML5 games and check out the
difference in responsiveness. A highly subjective test, sure, but an effective
one. If you take a user-centric view then it's arguably the only test that
really counts. You wouldn't believe the difference between FF5 and FF12
playing a game like Canvas Rider[1].

[1]: <http://canvasrider.com>

~~~
est
yeah but consider in the future everyone ditch Flash ads for canvas animation
ads, your page will basically have like 1000 embedded blinking and scrolling
ads made in canvas.

~~~
robin_reala
canvas { display: none; } in your userstyles?

------
ineedafresca
Awesome. I hope the old adage good product wins is really true in the browser
world. It was quite a trick to grab market share against IE back in the day,
but now they are up against the google cash machine paying Adobe/Avast/
Real/etc. $3/download for chrome. Hard for the little non-profit that could to
compete against that. We'll see.

------
ranit8
Did anybody notice that this feature is already available (off by default) in
Firefox 11 stable?

I hope they don't turn it on, or advertisers will move away from Flash to
Canvas.

