Mozilla has implemented various plugin protections over the years, and with Firefox 17, the open source browser group is going a step further. There is a class of plugins known as click-to-play that only activate when a user clicks. With Firefox 17, there is now a blocklist for click-to-play that provides an additional layer of security for users.
“By combining the safety of the blocklist with the flexibility of click-to-play, we now have an even more effective method of dealing with vulnerable or out-of-date plugins,” Mozilla developer David Keeler wrote. “Instead of choosing between vulnerable but useful (by allowing an old plugin to run automatically) and safe but less useful (by completely disabling old plugins), click-to-play blocklisted plugins gives the user the ability to make an informed decision depending on their current activity.”
Firefox 17 now also implements the HTML5 Sandbox attribute, which can isolate iFrame content in an effort to mitigate risk and improve security.
“If specified as an empty string, this attribute enables extra restrictions on the content that can appear in the inline frame,” the Mozilla developer documentation on the feature states. “The value of the attribute can be a space-separated list of tokens that lift particular restrictions.”