I welcome this move, despite the possibility of some fallout from the change. It'll be painful, but even as someone who once made a living writing ActionScript, I have to say that Flash is sufficiently annoying and insecure that it really needs to be phased out.
In the short term, this will probably cause some breakage in certain sites that try to use Flash "transparently" and "unobtrusively" for things like LSOs, drag-and-drop, clipboard access, or cross-domain XHR. These are already problematic with Flashblock installed though -- Pandora, for instance, refuses to load and there is nothing available to click-to-play since that particular Flash object is hidden.
Hopefully this will light a fire under those sites and get them to update to the appropriate HTML5 methods of doing these things (local storage, WebSockets, etc.), just like how Java applets that were used for such things have been largely phased out. Until then, however, I wouldn't be surprised if some of them simply inform you not to use Firefox to visit.
To take care of the invisible Flash object problem, Firefox could copy what Chrome does for Java applets and have a bar pop up at the top of the whole page, asking if you want to allow Flash to run on the site in question.
Pandora uses jPlayer to play audio which has an invisible Flash component to play mp3s on browsers that don't support it.
If Firefox requires 'click-to-play' on an on-screen piece of Flash to enable it, all sites using jPlayer to play mp3 simply will not work.
And of course this doesn't just affect jPlayer, many other players use this technique.
Much better -- as mistercow reasons -- to have a pop-up asking you if you wish to run Flash on a particular site and I would love to see an 'always allow' option here.
TL;DR there is a licensing issue with the MP3 decoder. It's more complicated than that, but most of it is due to software patents. http://en.m.wikipedia.org/wiki/MP3#section_10 has more info if you're curious.
I use Chromium, and have old flash installed. Every page shows me this bar asking me to update flash, with button to enable all flash on this page. It's very convenient, even more than FlashBlock on Firefox was.
No it's not, because if the Flash object is invisible, it simply does not give you any way to enable them unless you go to the preferences and explicitly add an exception.
This was my entire point in the first place, if you look up at the beginning of the thread. For example, turn on click-to-play and then go to pandora.com. If Chrome treated Flash the same as Java, you would still be able to use pandora easily.
read his post again. he's not talking about the click-to-play ui. there's a puzzle piece icon in the taskbar. clicking it displays a drop-down menu, and even if the flash is invisible you can choose the "enable flash on this page" option.
A problem I found with Chrome's current implementation is on pages where you don't even know flash is being used, Google Translate and Soundcloud for example, after thinking the site was broken I remembered I had click-to-enable active.
Indeed, this happens to me too. And I think this is why Mozilla will need to have a very good UI to tell the user how to fix a broken site (or just fix it for them e.g. through a crowd collective).
That's not a problem because Firefox has support for CORS, which is better than doing Flash because it's faster.
Of course, the server must cooperate with the browser by passing back allowance headers, but that's also true for Flash, as you need the server to have a crossdomain policy file for that.
> That's not a problem because Firefox has support for CORS, which is better than doing Flash because it's faster.
That's nice for a new site being developed right now, it's problematic for a site which has been stable in production for months or years and for which everybody involved in the development has moved on already.
If that site is the case, then lack of maintenance will have reared its ugly head long before a lack of Flash (or, the inclusion of it) broke their site.
horse-and-cart didn't stop working when the automobile came around. The proposal here is that we shoot all horses and burn all carts because somebody somewhere has started driving an automobile.
As an alternative, rather than requiring that all Flash shims have some sort of screen real-estate of their own to overlay a click-to-play control onto, perhaps hidden embedded Flash (or Java, or ActiveX, or whatever) objects could request the browser to prompt for their activation with an information bar.
I was thinking of postMessage, I haven't used CORS before but it looks like it ends up giving the same kind of outcome. In my case though I control the server have have the JS on 3rd parties so it is the reverse to what you are saying.
Minus a couple of restrictions (i.e. with CORS you cannot rely on cookies being set, so you need to handle that from your Javascript somehow), CORS works well and it works on all major browsers, starting with IExplorer 8, which makes it awesome.
For this feature, there will also be an option to enable plugins for websites that have them hidden such as Pandora. And in addition it will be possible to whitelist/blacklist websites.
I am so happy that I can barely contain myself. Hopefully this means Flash will now be used for important things, instead of shoving ads in my face that I can't dismiss, and follow my scroll bar.
Well, it's true that JavaScript- and Canvas- powered ads are harder to distinguish from legitimate web content. But the flip-side is that they're (re-)programmable using standard JavaScript APIs, and thus vulnerable to manipulation by browser extensions in a way that Flash never was, being a proprietary binary format.
I can't even imagine how many hours I've lost to Flash-induced beachball. Some pages have dozens of little advertisements and assorted trash that take nearly a minute to sort out.
Any effort to make the browser experience smoother is a good thing!
The problem is some uses of flash doesn't put any flash controls on the webpage. Mainly for audio related uses, like audio players (mixcloud), or games (since html5 audio still has some work to be done). Chrome gets around this with an icon in the urlbar, and an option "Run all plug-ins this time". If firefox wants to make click-to-play the default option, I don't think this is going to cut it. The only two options they have are to only click-to-play visible plugins (but this is really hard to detect), or give a popup. The popup might work for most users, but some are just going to get confused. In fact, I don't know if most users will read the place-holder for click-to-play in general, or just go "why isn't youtube working".
There's an “enable plugins” icon at the left of the location bar when the page contains those. It's a bit less visible than the one for pop-ups, but at least it's in an area that can't be spoofed.
Oh man, bad memories. I used to get so frustrated with Internet Explorer* for doing this about 7 years ago. I was young then, 12 or 13, and had just gotten Flash for my birthday. I know it had to be 2004 or 2005 because the version was Flash MX 2004. I was young enough and it was long enough ago that I think I was using Internet Explorer primarily, and got terrible frustrated when they started using this default click-to-play behavior on my Flash creations. How dare they! It took me long enough to figure out how to embed them (I remember I tried using the <img src="" /> tag with a .swf file. HAHA!)
It was something to do with an "ActiveX control," I don't remember anymore. But you should have seen how angry it made 13-year-old-me, because my loud, annoying Flash creations had to be allowed their obnoxiousness by every user. Anyway, the point is I approve. :)
* I'm pretty sure it was IE, could be remembering wrong.
I remember that, I believe it was the result of a patent lawsuit. Something about a company had the patent on the concept of embedding assets into the page and automatically starting on page load, or something like that. Microsoft's response was to force the click-to-play mechanic to get around it and then people figured out how to get around that. I don't recall any other browser having to deal with that particular patent.
This is great, really, but I'd like to see something more aggressive:
Non-foreground tabs should be completely suspended - plugins, JavaScript, media, you name it - unless they specifically request and are granted permission to run in the background.
Quite a lot of webpages need js to initialize themselves, these days, and I want them to load in background when I middleclick on a link. You probably want (at least some) websites to perform XHR when not focused (to update a news stream or something). I find an opt-in behavior on such a common feature a bit to hard, as a lot of website rely on that.
setTimout and friends are throttled (at least in Firefox) to fire at most once every second, so you won't burn your battery having a graphic demo in the background.
Actually, I'd only white-list Gmail and maybe Twitter. I'd prefer it if most site just served HTML to begin with.
I run with JavaScript and Cookies disabled unless white-listed, and just leave the majority of pages that won't load. Techcrunch, Engadget, and most news sites are so much faster without JS.
I might be ok with a timeout - after 30 seconds of no interaction from me, suspend the tab. Would that address your objection?
Eh, that would get annoying if it was the default behavior. I like to think I have self-control and know how to run Chrome without eating up my RAM or CPU. I don't need this sort of moderation. I don't think most do. I think I would hate it if JS stopped running in the background.
Flash files are worth silencing by default because you don't usually come to the website for them. They're largely unwanted web rodents.
I have to say Javascript and Flash are disabled by default on a constant basis on any browser I use, yet I don't have a "rodent" category. I don't "hate" specific categories of content on a random basis either. A lot of end users go to sites for flash content, I don't see how this "rodent" category gets to be made up, is that ads you are referencing in a specific way or do you have a visceral reaction to adobe flash ? Does it induce vomit ?
Kind of annoying for anyone with a lot of screen real estate, I don't want the youtube clip to stop playing just because I'm browsing another site at the same time.
Flash have just finally got (after like a hundred years) the ability to stay in full screen even if you focus another window.
Also, that will break all instant-messaging implementations - at least until you refocus that window. Imagine having to focus a window just to see whether the content has updated?
Very good Idea I think. Flashblock is one of the most useful plugins to me right now.
Although I think that mozilla will definitely have to implement a very easily accessible whitelist to go along. Otherwise, it will become slightly annoying for people with slow internet connections who rely on loading e.g. loading videos while surfing in another tab and the like.
I should have clarified that the pieces of the implementation landed starting in Firefox 11, but key bugs like https://bugzil.la/730318 weren't fixed until Firefox 14. It won't work correctly on all pages in earlier versions.
[I'm a developer of Firefox for Android, which has click-to-play enabled by default starting with version 14.]
Adobe has proven time and again that they cannot produce secure software. Down with Flash, and down with Reader. These two pieces of software seem to be responsible for millions of malware infections and thus tons of spam and fraud online.
The world would be a better place without these two Adobe products. Their /content production/ software is amazing, and they should just stick to that IMO.
I am quite pleased with this idea. This is what NoScript does by default and pages load noticeably faster. In requiring flash objects to be clicked first provides a increased protection against the all too common Flash zero day exploits.
I turned it on a few weeks ago, and after a day or two white listing a few sites that I use often (Google Music, etc) I've found my browsing experience much more enjoyable. My computer as a whole seems snappier; although it could be placebo.
I rock click-to-play for plugins in Chrome and it's extremely helpful for browsing speed and enjoyability. No more playing "Which window is that sound coming from?". That said, there are definite usability problems with the current chrome implementation that I hope FF improves on. I'd like a "Load all requested plugins for this page" button. Or a whitelist maybe.
Great move. I am reminded of Apple's recent Java update[1], which turns Java off by default, and disables it again after a period of disuse. It moves the security threat into phishing rather than drive-by territory, a definite improvement.
i would go one step further and disable all auto-play for audio and video. not just flash, but html5 as well.
if there is some audio or video designated to play onLoad, notify user and have them click ok/prevent/mute...etc. it might make for some no-so-seamless experiences, but the alternative it 90's style animated gif annoyances on spam sites etc..
I think the real benefit here would be to block java plugins automatically. The current implementation blocks both (to the best of my understanding).
Not automatically loading java would be a great benefit to the majority of users. Its not used on nearly as many websites yet it is responsible for the lion's share of current security exploits.
Firefox would lose a lot of users if they did this. There are a lot of people who don't understand plugins and they would probably just find this feature to be annoying and use IE or Chrome instead.
On a side note: is there an opensource browser who doesn't let a flash video/embed to steal keyboard focus? I tend to use the kb heavily for navigation and this behaviour is frustrating.
This has been suggested often (and would be a wonderful feature). IIRC it's impossible currently due to the fact that flash runs as a single process and so you can only control the volume of all flash movies, not individual ones.
I think the point of the article is "by default". I don't know about Firefox but chrome has plug-in on demand as well. On linux, I have plugin on demand enabled in Opera, however on windows I have it disabled due to it's inability to start hidden flash. For example on Soundcloud. Maybe there's an action for enabling plug-in on demand that I could put to shortcut but I never got around to look into it. Anyway, flash on windows is just fine ...when not counting the adobe vulnerabilities(tm).
For my money, they oughta make Canvas click-to-play as well, since the rendering speed in Firefox is unbelievably slow and the javascript behind it is so frequently written to hog up 100% of the CPU it's hard to even know what you're looking at if you accidentally stumble across an HTML5 page in Firefox, before your system grinds to a complete halt.
It's funny how people blame Flash for slow websites when what they should really blame is bad coding practice, which can just as easily show up in JS (and does). To take it further, it's pretty rare for Flash code to bootstrap a huge set of libraries to do some petty effect - and if it does, the plugin doesn't freeze the browser preload while waiting on them. Whereas a 150k JS file that includes jquery and a bunch of other junk which probably isn't necessary (but makes coding some effect that much easier for bad programmers) can bring a website to its knees before the first line of text is delivered in the browser.
Again, don't blame the tools; blame the tools who use them.
Firefox canvas really isn't that slow anymore. Every time they increment the major version number, I play a couple of HTML5 games and check out the difference in responsiveness. A highly subjective test, sure, but an effective one. If you take a user-centric view then it's arguably the only test that really counts. You wouldn't believe the difference between FF5 and FF12 playing a game like Canvas Rider[1].
yeah but consider in the future everyone ditch Flash ads for canvas animation ads, your page will basically have like 1000 embedded blinking and scrolling ads made in canvas.
I wish I had more upvotes to give you.
And let's not forget WebGL, as of today, 99% of the WebGL stuff is a sure way to have the fan spin to a million rpms on my laptop and blow out my battery.
Awesome. I hope the old adage good product wins is really true in the browser world. It was quite a trick to grab market share against IE back in the day, but now they are up against the google cash machine paying Adobe/Avast/ Real/etc. $3/download for chrome. Hard for the little non-profit that could to compete against that. We'll see.
In the short term, this will probably cause some breakage in certain sites that try to use Flash "transparently" and "unobtrusively" for things like LSOs, drag-and-drop, clipboard access, or cross-domain XHR. These are already problematic with Flashblock installed though -- Pandora, for instance, refuses to load and there is nothing available to click-to-play since that particular Flash object is hidden.
Hopefully this will light a fire under those sites and get them to update to the appropriate HTML5 methods of doing these things (local storage, WebSockets, etc.), just like how Java applets that were used for such things have been largely phased out. Until then, however, I wouldn't be surprised if some of them simply inform you not to use Firefox to visit.