Closed
Bug 738698
(click-to-play)
Opened 12 years ago
Closed 8 years ago
[meta] Users should have the ability to activate plugins on demand
Categories
(Firefox :: General, defect)
Firefox
General
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: jaws, Unassigned)
References
(Depends on 1 open bug, )
Details
(Keywords: meta, sec-want)
Users should have the ability to activate plugins on demand. This is sometimes referred to as click-to-play plugins.
Reporter | ||
Updated•12 years ago
|
Reporter | ||
Updated•12 years ago
|
I think we are ready to schedule this one, the call for comments closed on 30-Mar as expected there was nothing too big. link to discussion: https://groups.google.com/group/mozilla.dev.security/browse_thread/thread/893f729b420309ec# Jared / Ian thoughts?
Comment 2•12 years ago
|
||
(In reply to Curtis Koenig [:curtisk] from comment #1) > I think we are ready to schedule this one, the call for comments closed on > 30-Mar as expected there was nothing too big. > > link to discussion: > https://groups.google.com/group/mozilla.dev.security/browse_thread/thread/ > 893f729b420309ec# > > Jared / Ian thoughts? What's currently implemented is a first pass on the feature and isn't intended to be enabled by default. I would prefer to wait until the feature is closer to what's described in the feature page. The feature page is currently being discussed in mozilla.dev.security and we met with UX yesterday to ask for input as well. If the review would be a design review, I would prefer this to happen in the mozilla.dev.security thread after people have reviewed the existing feature page. If the review is an implementation review, I would prefer this to wait until the feature is closer to what we have discussed shipping. I would encourage members of the security team to try this feature out in a nightly by flipping the pref when bug 711618 lands. This is all just my opinion though, very open to discussion :)
Comment 3•12 years ago
|
||
Thanks for this! too i also have traded Flashblock for plugins.click_to_play;true But by when it will be stable enough to test? will it have the option to control(enable on demand) for all types of plugins? & what about say a page has two flash player windows but want to play only the second one will it be possible ? (flashblock allows this)
Comment 4•12 years ago
|
||
(In reply to beelzebub360 from comment #3) FYI you don't need to add the same comment to every click to play bug, this is the meta (main) click to play bug, which tracks the feature overall - other related bugs should be marked dependencies for it. > But by when it will be stable enough to test? i saw that you already cc'd yourself on this bug and some of the other click to play bugs. Following the bugs will let you follow the progress of this feature (including it being enabled by default in a release of Firefox). > will it have the option to control(enable on demand) for all types of > plugins? > & what about say a page has two flash player windows but want to play only > the second one > will it be possible ? (flashblock allows this) please see https://wiki.mozilla.org/Opt-in_activation_for_plugins for the current proposal and feel free to comment on the spec on mozilla.dev.security where click to play is being discussed
Comment 5•12 years ago
|
||
Guys will this be also implemented so that ogg or web-m to require to be licked to be activated this is needed to stop loading unnecessary plugins on any page(inbuilt or external) especially under linux & also speeds up Firefox
Comment 6•12 years ago
|
||
(In reply to beelzebub360 from comment #5) > Guys will this be also implemented so that ogg or web-m to require to be > licked to be activated > this is needed to stop loading unnecessary plugins on any page(inbuilt or > external) especially under linux > & also speeds up Firefox At the moment, as being discussed, it's only for plugins. You raise an interesting point, but i think that's a different issue/bug, perhaps.
Comment 7•12 years ago
|
||
(In reply to Ian Melven :imelven from comment #6) > At the moment, as being discussed Great Hope it gets implemented >it's only for plugins. well basically .ogg/webm etc are plugins(internal maybe if not external which are not required always) but are loaded(wasting bandwidth & resources). Maybe not all but some users need more security over running all plugins & desktop/mobiles need more resources which might not be always available(if on a old system or using different codecs) >You raise an interesting point Thank-you >but i think that's a different issue/bug, perhaps perhaps not as using resources more efficiently & securely is one of the main motives of this feature
When you all feel that this is ready for a security review please update bug 744534 and we will get it going.
Whiteboard: [secr:curtisk] → [secr:curtisk:744534]
Comment 9•12 years ago
|
||
Dupe of bug 711552?
(In reply to Tony Mechelynck [:tonymec] from comment #9) > Dupe of bug 711552? Bug 711552 was for the user interface on desktop for click-to-play (there was another bug for mobile). This bug is an overall tracking bug for click-to-play, if I understand correctly.
Comment 11•12 years ago
|
||
To avoid every Silverlight site issue from breaking, this should be resolved.. https://bugzilla.mozilla.org/show_bug.cgi?id=745378
Comment 12•12 years ago
|
||
Yes, is very important that users always decided if click to play plugins or simple reproduce it. Flash and others plugins cause problems and we have to make a better Firefox. There are several ways for users can customize this. A path can be put in tab Plugins of Add-ons Manager a cheek button to click to play plugins. Too in tab Content of Firefox Options together Block pop-up windows, Loads images automatically and Enable JavaScript we can add a cheek button to click to play plugins and button for users can add exceptions for sites which theirs want add (this would serve for show to users a simple way to enable or disable).
Comment 13•12 years ago
|
||
Depends bug 746888?
Comment 14•12 years ago
|
||
For end-users, the following capabilities might be very much desired. I would like to be able to white-list a plugin as always active without regard for what Web page I am viewing. I would like to be able to white-list a URI or an entire domain to activate all plugins. I would like to be able to black-list a Web page or an entire domain for a specific plugin, overriding the above white-lists. Finally, any indicator of a blocked plugin should be obvious but not hide any content on a Web page.
Updated•12 years ago
|
Whiteboard: [secr:curtisk:744534] → [sec-assigned:curtisk:744534]
Comment 15•12 years ago
|
||
Click to Play Plugins should also block(enable on demand) webm/ogg/mp3/vlc etc
Comment 16•12 years ago
|
||
(In reply to Pheonix from comment #15) > Click to Play Plugins should also block(enable on demand) > webm/ogg/mp3/vlc etc These aren't alwyas provided by plugins though... this would be a separate feature, particularly since we want click to play to help protect users against plugin vulnerabilities, which we can't fix ourselves.
Comment 17•12 years ago
|
||
Was this broken by bug 745030 somehow? On Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:17.0) Gecko/17.0 Firefox/17.0 ID:20120808030529 with Shockwave Flash 11.4.400.252 "click to play" UI no longer shows on http://www.adobe.com/software/flash/about/
Alex - are you talking about the content that appears for a bit and then is replaced by a (non-flash) ad?
Comment 19•12 years ago
|
||
Yes. Flash content is activating immediately with click-to-play enabled. Works: http://hg.mozilla.org/mozilla-central/rev/1bbc0b65dffb Broken: http://hg.mozilla.org/mozilla-central/rev/e55638d4037a Push log: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1bbc0b65dffb&tochange=e55638d4037a I did some further debugging and found that the broken behavior is caused by a combination of the above change set and Adblock Plus (2.1.3a.3534).
Matthew - that looks like bug 782644.
Updated•12 years ago
|
Flags: sec-review?(curtisk)
Comment 21•12 years ago
|
||
(In reply to David Keeler from comment #18) > Alex - are you talking about the content that appears for a bit and then is > replaced by a (non-flash) ad? No I was talking about the "Version Information" Flash box. I still believe the refactoring of nsObjectLoadingContent on bug 745030 completely broke click to play =(
Alex - looks like you might be encountering bug 782644. With regard to bug 745030 - click to play was already broken by the complexity and difficult-to-maintain-ness of nsObjectLoadingContent. While the refactoring has caused some regressions, I think we're better off in the long run because we now have a better path forward using code that is easier to understand and improve.
Comment 23•12 years ago
|
||
Missing "Lego brick" click-to-play UI at http://news.yahoo.com/blogs/trending-now/long-lost-renoir-masterpiece-found-among-junk-flea-170238665.html Confirms anyone?
Comment 24•12 years ago
|
||
(In reply to alex_mayorga from comment #23) > Missing "Lego brick" click-to-play UI at > http://news.yahoo.com/blogs/trending-now/long-lost-renoir-masterpiece-found- > among-junk-flea-170238665.html > > Confirms anyone? Yahoo applies georestriction on its stream, so I guess it's pure HTML/JS. We see only the splash image before playing the Flash stream. In my case, I'm georestricted so I don't see the click-to-play overlay.
Comment 25•12 years ago
|
||
(In reply to alex_mayorga from comment #23) > Missing "Lego brick" click-to-play UI at > http://news.yahoo.com/blogs/trending-now/long-lost-renoir-masterpiece-found- > among-junk-flea-170238665.html > > Confirms anyone? I've noticed this, it's due to resizing plugin frames after they've switch to fallback. I filed bug 790483 for this, though it might be a dupe.
Comment 26•12 years ago
|
||
Steps: 0. Enable "click to play" 1. Load http://www.vice.com/vice-news/the-mexican-mormon-war-part-1 2. Click on "Click here to activate plugin" Result: Nothing happens. There's an error in error console: [code]Error: ReferenceError: OAS_RICH is not defined Source File: http://www.vice.com/vice-news/the-mexican-mormon-war-part-1 Line: 127[/code] Expected results: Plugin activates Is this a site's or Nightly's bug?
Alex - that looks like bug 790265 (which occurs when a site embeds content from another site that has "display: none" initially - which is different from (but very similar to) bug 741130).
Comment 28•12 years ago
|
||
Another one that doesn't work on Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:18.0) Gecko/18.0 Firefox/18.0 ID:20120927030539 Steps: 0. Enable "click to play" 1. Load http://www.aztecanoticias.com.mx/capitulos/mexico/126079/marti-batres-choca-contra-puerta-en-san-lazaro 2. Click on "Click here to activate plugin" 3. Click "PLAY" Result: Nothing happens. There's an error in error console: Timestamp: 28/09/2012 09:15:51 a.m. Error: ReferenceError: K10142 is not defined Source File: http://www.aztecanoticias.com.mx/capitulos/mexico/126079/marti-batres-choca-contra-puerta-en-san-lazaro Line: 1180 Expected results: Video plays. Is this a site's or Nightly's bug?
Alex - I can't reproduce the bug you're seeing on that page. Maybe the page was recently updated? (I'm assuming you were trying to click-to-play the main video, right?)
Comment 30•12 years ago
|
||
David, For me it doesn't work even in Safe-mode =( Only other thing I can think of is that I've set Nightly to not accept 3rd party cookies, might that be?
Comment 31•12 years ago
|
||
Another page that doesn't work with "click to play" FWIW http://www.cetesdirecto.com/ninos/Cuento.html
Comment 32•12 years ago
|
||
Glad to report that these now WFM on Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:19.0) Gecko/19.0 Firefox/19.0 ID:20121022030551 http://www.aztecanoticias.com.mx/capitulos/mexico/126079/marti-batres-choca-contra-puerta-en-san-lazaro http://www.cetesdirecto.com/ninos/Cuento.html Thanks to everyone involved in this feature, it's coming along nicely and helps me enjoy the web more on my CPU and RAM constrained devices =)
Comment 33•12 years ago
|
||
There's no click to play UI on the main page at http://javatester.org/version.html Is this a bug or by design?
(In reply to alex_mayorga from comment #33) > There's no click to play UI on the main page at > http://javatester.org/version.html > > Is this a bug or by design? I've looked at that before, and if I recall correctly, the applet is considered too small to contain the UI in the overlay, so we make it (the overlay) invisible. It can still be activated by the urlbar notification icon.
Reporter | ||
Updated•12 years ago
|
Alias: click-to-play
Comment 35•12 years ago
|
||
(In reply to David Keeler from comment #34) > (In reply to alex_mayorga from comment #33) > > There's no click to play UI on the main page at > > http://javatester.org/version.html > > > > Is this a bug or by design? > > I've looked at that before, and if I recall correctly, the applet is > considered too small to contain the UI in the overlay, so we make it (the > overlay) invisible. It can still be activated by the urlbar notification > icon. Would it be possible to still draw the gray diagonal bars and just the text with no icon? That would give more the sense of "something is missing here and we know about it, Firefox is not failing" IMHO.
Comment 36•12 years ago
|
||
Steps: 0. Install JRE 1.7.0_09 from http://www.oracle.com/technetwork/java/javase/downloads/index.html 0. Enable "click to play" plugins.click_to_play;true in about:config 1. Load http://www.java.com/en/download/installed.jsp?detect=jre 2. Click on "Click here to activate the Java Deployment Toolkit plugin." Result: The applet never loads. Is this a known bug on Nightly or just poor "web making" from Oracle?
(In reply to alex_mayorga from comment #36) > Steps: > 0. Install JRE 1.7.0_09 from > http://www.oracle.com/technetwork/java/javase/downloads/index.html > 0. Enable "click to play" plugins.click_to_play;true in about:config > 1. Load http://www.java.com/en/download/installed.jsp?detect=jre > 2. Click on "Click here to activate the Java Deployment Toolkit plugin." > > Result: > The applet never loads. > > Is this a known bug on Nightly or just poor "web making" from Oracle? Not necessarily poor coding - it works for me after a few seconds if I enable the plugin through the urlbar notification.
(In reply to alex_mayorga from comment #35) > (In reply to David Keeler from comment #34) > > (In reply to alex_mayorga from comment #33) > > > There's no click to play UI on the main page at > > > http://javatester.org/version.html > > > > > > Is this a bug or by design? > > > > I've looked at that before, and if I recall correctly, the applet is > > considered too small to contain the UI in the overlay, so we make it (the > > overlay) invisible. It can still be activated by the urlbar notification > > icon. > > Would it be possible to still draw the gray diagonal bars and just the text > with no icon? That would give more the sense of "something is missing here > and we know about it, Firefox is not failing" IMHO. That's reasonable, but then there's still the problem of when even the text is too large for the visible plugin area. Why don't you open a new bug and anyone who's interested can discuss it there?
Comment 41•12 years ago
|
||
There's no click to play UI on dynamically created flash. Example: http://ruzanow.ru/test/test-flash.html // I think that it has already been reported, but not right here and bug is not fixed in nightly.
Comment 42•12 years ago
|
||
(In reply to ruzanow from comment #41) > http://ruzanow.ru/test/test-flash.html Ops, sorry. This is another bug. Small placeholder (less 110x110 for me) is invisible.
Comment 43•12 years ago
|
||
That's bug 810082
Comment 44•11 years ago
|
||
No click-to-play UI on the main page at http://getpebble.com/ just a black square. Is this a known bug or shall I file a new one?
Updated•11 years ago
|
Flags: sec-review?(curtisk) → sec-review+
Whiteboard: [sec-assigned:curtisk:744534]
Comment 45•11 years ago
|
||
(In reply to alex_mayorga from comment #44) > No click-to-play UI on the main page at http://getpebble.com/ just a black > square. > > Is this a known bug or shall I file a new one? It was in fact bug 744745 and it's now fixed. Also bsmedberg posted of this functionality and called for more testers at https://groups.google.com/forum/#!topic/mozilla.dev.apps.firefox/8CIIiXypoXY The thread already has one very interesting feature request IMHO, namely "when Firefox crashes to turn off saved defaults and reask all the Click to play prompts for all opened tabs when Firefox reopens" by John Bird
Comment 46•11 years ago
|
||
http://omg.yahoo.com/video/redford-company-laboeuf-tucci-081832327.html doesn't play along with click-to-play a "loading" spinner is shown forever. Is this a known bug or should I file a new one?
Comment 47•11 years ago
|
||
Can I just strongly emphasize how disappointed I am in Mozilla for activating flash by default (in FF 23.0a1 Nightly) just because I have an up to date flash plugin. After quite a long enjoyable stretch of having to click to activate flash regardless of the version installed (I've been using click to play since it was first possible in nightly) a short while ago the feature basically was taken away from me. Just because I keep flash up to date? What kind of motivation is that supposed to be? Punishment for doing the right thing? And what's more the UI for click to play lies to you, about:config says it is enabled, and it says it will ask every time when you check in about:permissions (every site & globally). So please somewhere, anywhere, give me a switch to force click to play in all circumstances regardless of plugin type or version. Otherwise this feature is noting more than a slap in the face to good netizens.
Comment 48•11 years ago
|
||
(In reply to Cam from comment #47) > Can I just strongly emphasize how disappointed I am in Mozilla for > activating flash by default (in FF 23.0a1 Nightly) just because I have an up > to date flash plugin. > > After quite a long enjoyable stretch of having to click to activate flash > regardless of the version installed (I've been using click to play since it > was first possible in nightly) a short while ago the feature basically was > taken away from me. Just because I keep flash up to date? What kind of > motivation is that supposed to be? Punishment for doing the right thing? > > And what's more the UI for click to play lies to you, about:config says it > is enabled, and it says it will ask every time when you check in > about:permissions (every site & globally). > > So please somewhere, anywhere, give me a switch to force click to play in > all circumstances regardless of plugin type or version. Otherwise this > feature is noting more than a slap in the face to good netizens. This is due to bug 549697 landing, which changes how CtP works - you can now enable it per plugin in about:addons. It was not an intentionally "your flash is up to date so we're enabling it," it was merely a change to how the CtP prefs work. See also bug 866935
Comment 49•11 years ago
|
||
Found another page with a Flash video that doesn't play along with CtP over at http://gawker.com/5750211/the-full-mcbain-movie-hidden-throughout-simpsons-epsiodes Is this a known bug or should I file a new one?
(In reply to alex_mayorga from comment #49) > Found another page with a Flash video that doesn't play along with CtP over > at > http://gawker.com/5750211/the-full-mcbain-movie-hidden-throughout-simpsons- > epsiodes > > Is this a known bug or should I file a new one? Looks like that's just how the site works - if you're quick enough to open the popup notification and activate flash, it works. In the future, you can probably just list these kinds of things in bug 819972.
Depends on: 889228
Comment 51•11 years ago
|
||
As currently implemented in 26.0a1 there is a severe regression in click to play. If I watch a video on a site (say youtube) and open another tab of the same site then the second tab will begin to play without my consent, wasting CPU running flash in the background and polluting the current audio with a useless background audio track that I'm not currently watching. There should be the option to require that every plugin on every tab regardless of site or visibility needs explicit approval, otherwise click to play is completely useless and we'll have to go back to using click to flash and the like.
Comment 52•11 years ago
|
||
(In reply to Cam from comment #51) > As currently implemented in 26.0a1 there is a severe regression in click to > play. Please, file a new bug: https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=Plug-ins
Comment 53•11 years ago
|
||
Please do not file a new bug. This is the intended behavior, as discussed in bug 886792.
Comment 54•11 years ago
|
||
(In reply to Benjamin Smedberg [:bsmedberg] PTO 8-Aug until 18-Aug, workweek high latency 19-Aug through 23-Aug from comment #53) > Please do not file a new bug. This is the intended behavior, as discussed in > bug 886792. Inadvertently running more than one instance of Flash puts the fans on my portable computer into overdrive. This is detrimental to my hardware and *cannot* be the intended behaviour. Firefox+Flash is simple not usable like that. Please reconsider.
Comment 55•11 years ago
|
||
As discussed in bug 886792, click-to-play is a security feature, intending to protect users form outdated/dangerous plugins. It is not a substitute for Flashblock etc. If a user enables a plugin on one site, then it is reasonable that they do not consider that plugin a threat on the same site in the same browsing session and so c2p allows the plugin to run. For more control over flash player etc, the add-ons route is recommended.
Comment 56•11 years ago
|
||
As discussed here, that reasoning is absolutely wrong, and is in fact an anti-pattern of UX. Security should not be optional, and certainly shouldn't require installing addons that you are not informed of before you are allowed to use the browser. Moreover security should not be half-implemented because a false sense of security is worse than none. Do you honestly think there is one person out there who sees the c2p placeholder and thinks "well that obviously enables the plugin in all cases for this entire domain"?
Comment 57•11 years ago
|
||
(In reply to Kshitij Chawla from comment #55) > ... If a user enables a plugin on one site, then it is > reasonable that they do not consider that plugin a threat on the same site > in the same browsing session and so c2p allows the plugin to run. Trusting a site does not imply that I also trust content served via ad delivery networks that serve content that the site owner has no control over. Those have been used to spread malware on trusted sites before. Could you please clarify what model of trust you intend to implement? Does trusting a site mean trusting the address in the location bar only, or does trusting a site mean trusting all sites referenced from that site? The latter implementation is not what we are used to, because the Internet Explorer zone model is not transitive in that way: Trusting a site means trusting a single DNS domain. This is what (enterprise) users have been trained to expect for years now. > For more control over flash player etc, the add-ons route is recommended. That would be OK if Mozilla endorses and audits an add-on like click-to-play-per-element, and add-ons get a chance to be as secure as Firefox itself. I did not feel that Flashblock was on par with the original CTP implementation.
Comment 58•11 years ago
|
||
As others have pointed out, I think the most useful behaviour for people running on devices with low hardware resources is enabling a single instance of a plug-in. There could be an option to enable all for that domain, as it is now, or a single process. With some notebooks it is very useful to enable just one running Flash or Silverlight video at once, enabling all for that domain often means having the CPU running at 100%. Implementing the double option (enable all for domain, enable just one) should cover all the preferences and solve the problem. For example, I find enabling a plug-in for all the domain not the behaviour I need on most of the sites.
Comment 59•8 years ago
|
||
This bug is no longer being used for direct tracking: closing.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•