Firefox adopts default-deny policy for plugins

[EncryptedBytes]

Good news for firefox users:

source

Quote:

If you have ever used NoScript, ScriptNo or Flashblock you will be familiar with this idea. When you load a page like YouTube that has an embedded Flash/PDF/Java object, instead of it instantly loading the video you will see a black box with a logo representing the plugin. When you click on the box it will launch the plugin and the video or other content will be rendered.

[m00nbl00d]

I tried that approach with some relatives, who use Google Chrome, but didn't work out. For something like Youtube is a no brainer, but to some other website with quite a few flash content, it was a pain in the arse to figure out what they actually needed to allow, so they asked me to disable the click-to-play feature of Google Chrome.

I wonder why they don't come with something "smarter". For instance, allow plugins only if the request is coming from a first-party, but block if it's coming from a third-party. Considering that most exploits will simply redirect users to the malicious website hosting the exploit, from an hijacked legitimate website, mostly ads...

Wouldn't it be a better approach? A bit like what some extensions allow for referrers - allow it from first-party, but not to third-parties. Something like Youtube could be allowed by default, if it's embed in some other website. Any harm?

If the users do visit some website require the plugins, some of them either will freak out and think something is broken, or realize what it is about, but get annoyed by it and disable it altogether. I'm assuming it would be possible to disable it, just like in Google Chrome; which is off by default, actually.

[Hungry Man]

I get doing this for Java, which isn't used that often and probably has more exploit sites than sites that use it genuinely. But... for all plugins? Users are going to get ~ Snipped as per TOS ~.

And with the Flash sandbox coming to Firefox I don't see this as being necessary.

[EncryptedBytes]

Quote:

Originally Posted by Hungry Man

I get doing this for Java, which isn't used that often and probably has more exploit sites than sites that use it genuinely. But... for all plugins? Users are going to get ~ Snipped as per TOS ~.

And with the Flash sandbox coming to Firefox I don't see this as being necessary.

I am sure it will easily be disabled, perhaps even a whitelist? Though I enjoy have an embedded option to nuke websites from orbit.

[dw426]

And, just like Noscript in the hands of most folks, this will be like playing Minesweeper. "Gee, now which of these four or five grey boxes is a video/game/whatever, and which are ads? Gosh, I hope clicking this particular box doesn't get me pwned!". The problem with most of these ideas is that they sound utterly brilliant on paper, but put them to work in the hands of Joe Schmoe, and watch the face-palming commence. White-listing will, eventually, make everything okay..until you visit a new website of course. But, you have to play Minesweeper before you can "settle in".