Plugin activation in Firefox no longer default
Plugins downloaded for use with Firefox will no longer be activated by default in order to reduce crashes, security problems and hang-ups in the browser.
On Tuesday, Benjamin Smedberg, Engineering Manager, Stability and Plugins at Firefox wrote on Mozilla'a blog that the change is designed to give users a "better Firefox experience." Now, when a site attempts to enable a plugin, users will have to choose whether to activate the third party system or not. The engineer writes:
"Even though many users are not even aware of plugins, they are a significant source of hangs, crashes, and security incidents. By allowing users to decide which sites need to use plugins, Firefox will help protect them and keep their browser running smoothly."
The only plugin Mozilla Firefox's new system will not effect is Flash, which will remain enabled by default.
"Flash content is so common on the Web, and many websites use "hidden" Flash instances that the user does not see and cannot click on: making Flash click-to-play would be confusing for most users," Smedberg says. "Users with older versions of Flash that are known to be insecure will see the click-to-activate UI and will be prompted to upgrade to the latest version."
A user research study(.pdf) conducted by Mozilla early this year on the prototype implementation of click-to-play plugins found that many users did not understand what a plugin was -- becoming "confused and annoyed" by them -- a main source of frustration was having to enable plugins on the same sites repeatedly. As a result, Firefox's click-to-play feature to focus on enabling plugins per-site, rather than enabling individual plugin instances on the page.
While plugins used to be a useful add-on for browsers to enhance features including video and animation, the developer argues that implementing plugins and technology including WebGL, WebSockets and WebRTC have lessened the importance of plugins -- but their security problems remain. Smedberg commented:
"Plugins are now a legacy technology, and not available on most mobile devices. Mozilla encourages website developers to avoid using plugins wherever possible."
The potential security issues caused by plugins remain of concern to browser providers. From early next year, plugins developed for Google Chrome based on the NPAPI architect will be blocked entirely, as the browser removes support for the system. According to Google, the Netscape Plug-in API 90s-era architecture has become a leading cause of hangs, crashes, security incidents, and code complexity.