Firefox Blocklist & Click To Play

Mozilla blocks several addons, including these plugins, and all Java. More blocks are planned. The discussions that lead to the most recently implemented blocks can be read here.
Update: The block of all Java has been reverted.

hard versus soft block

A block can either be a hard block, or a soft block. Hard blocks are used to block malware. Soft blocks are used to warn users that a web page has triggered the run of a legitimate, but potentially dangerous plugin like Flash, Java, or Adobe Reader. This usually affects outdated versions of these plugins, that often have known vulnerabilities.

The vulnerabilities of these plugins are routinely exploited by criminals to deploy trojans, which then intercept passwords, and which are also responsible for most of the spam emails that we are all suffering from.

click to play

This plugin is vulnerable and should be updated.
Check for updates.
Click here to activate the Java(TM) Platform SE 7 U plugin

Soft blocks are also called 'click to play', because they allow manual override by the user. They were first displayed like the sample image shown here, but the precise look seems to have changed often within short time, adding red color, making the sign bigger, and replacing the sign by a different one.

Soft blocks permit to access desired functionality, but help to avoid drive-by-downloads of malware (if the users don't just click on any 'click here' that they see).

Mozilla aims to soft-block outdated plugins approximately three weeks after an update version is available. However they often reduce this time for plugins with known vulnerabilities, especially when the vulnerabilities are already widely exploited. In this case the soft block can even be activated before an update for the plugin is available.

On October 18th a new variant of click-to-play was activated for all versions of java. This new variant shows a big red 'no entry' traffic sign in the upper left corner of the browser window (bigger than the sample here, and with some additional text, if you have a hardcopy of the original please email me). It did not allow to override the lock for outdated version of java. The same sign was shown again after updating to the latest version of java, but with slightly different text (my users did not notice the difference). Now clicking on the sign brought up a window, where it was possible to whitelist a site. This java-block was disabled a few days later, because it caused too many problems, and whitelisting was broken.


The permissions manager of Firefox can be used to whitelist domains, for example often visited sites that need a certain plugin, or a corporate intranet. Then soft-blocked plugins continue to work there, without the warning message being shown.

The relevant part of the UI of the permissions manager is not yet implemented, but the addon click-to-play-manager can already implant such whitelisting into the database of the permissions manager. These entries will not be visible in the permissions manager, but they work.


A manual update can be triggered on the error console or browser console by entering this command (on one line):
See also

If you want to decide yourself what to block and what not, you can change the value of extensions.blocklist.url
The original value expands to something like this: