The plugin click-to-activate whitelist has expired, and we will not be renewing it. This bug tracks remove all plugins except for Flash from the whitelist. This means that they will revert to the default click-to-activate behavior.

Review commit: https://reviewboard.mozilla.org/r/45481/diff/#index_header See other reviews: https://reviewboard.mozilla.org/r/45481/

Comment on attachment 8740000 [details] MozReview Request: Bujg 1263630 - Remove everything except Flash from the click-to-activate whitelist, r?jimm https://reviewboard.mozilla.org/r/45481/#review42071 That's a lot of plugins, is product ok with this?

s/Bujg/Bug/ in commit message

I am functioning as plugins product manager for the time being. I've discussed this with Javaun, and I've also reached out to every plugin vendor who was on the whitelist.

Comment on attachment 8740000 [details] MozReview Request: Bujg 1263630 - Remove everything except Flash from the click-to-activate whitelist, r?jimm Approval Request Comment [Feature/regressing bug #]: Removal of whitelist [User impact if declined]: Increased exposure to plugin exploits and less data for us about which plugins are still being used in preparation for the end-of-2016 plugin deprecation plan. [Describe test coverage new/current, TreeHerder]: straight pref removal: no additional tests done at this time [Risks and why]: this could affect minorities of users who use these plugins, but they should be able to use manual activation still. Many of these plugins are no longer used/relevant. [String/UUID change made/needed]: none

I want this to bake in Nightly for a couple of days before uplifting to Aurora.

Comment on attachment 8740000 [details] MozReview Request: Bujg 1263630 - Remove everything except Flash from the click-to-activate whitelist, r?jimm Needed in preparation for plugin block experiment, baked on Nightly for a bit, Aurora47+

Posted the site compatibility doc. MDN may also need a doc. https://www.fxsitecompat.com/en-CA/docs/2016/all-plug-ins-other-than-flash-are-now-defaulted-to-click-to-activate/

This may also require a follow-up post on the Security Blog as well as a relnote bullet point to remind people about the NPAPI deprecation.

We should make this part of Firefox 47 release notes. Suggested wording: `The Firefox <a href="https://blog.mozilla.org/futurereleases/2013/09/24/plugin-activation-in-firefox/">click-to-activate plugin whitelist</a> has been removed.` We do not plan on an additional blog post at this time.

Added to Fx47 beta release notes.

Updated: https://developer.mozilla.org/en-US/Add-ons/Plugins/Site_Author_Guide_for_Click-To-Activate_Plugins and https://developer.mozilla.org/en-US/Firefox/Releases/49#Security

Benjamin pointed to me that it will be Fx 47 (as it was obvious from comment 14 :-(, so my bad). Fixed https://developer.mozilla.org/en-US/Firefox/Releases/47#Security (and removed elsewhere) Thanks for the good catch!