Mozilla today released latest Firefox 17 beta by enabling new security feature Click-to-Play Blocklisted plugins which is combination of Click-to-play plugins and blocklist. Let me explain, as you know Click -to-Play plugins which when activated allows plugins to load on demand, and blocklist is something we know Mozilla maintains list of outdated and vulnerable add-ons and plugins which are disabled automatically when detected on users’ Firefox browsers. 

Last week Mozilla started warning users who have outdated versions of Silverlight. Flash and Adobe Reader plugins to update those add-ons by visiting Mozilla plugin check page, this happens on Firefox 16 and earlier versions.

For Firefox 17 users who have older versions of plugins when they visit websites with plugin content mentioned above experience is some what different. They will see a plugin icon in address bar which when clicked opens a popup (as shown below in the screenshot below) and prompts users to either update the add-on or view the content by activating the plugin, choice will be left to the user.

Firefox click to play plugin blocks

Lets see the user cases: when user visits a safe video site like YouTube with old Flash Player plugin installed in Firefox 17, since he trusts YouTube even though Flash is blocked he clicks to see the content. Another case where user reaches unknown site via a link he may not want to play the video, user is already protected here because plugin content already blocked.

Let me clarify if user enables vulnerable plugin content on a malicious site, then this feature can’t protect him. This feature only protects against drive-by-attacks aimed at vulnerable plugins. Currently Click-to-play block listed plugins support older versions of Flash, Adobe Reader and Silverlight.

And click-to_play plugins is still in development,  that’s why disabled by default in Firefox 17 you can enable it by setting “Plugins_click_to_play” value to true in about:config. You can download Firefox 17 beta from official webpage. You can read more details on Mozilla security blog.

What do you say about this feature?