As discussed on security-group, we want to change the blocklisting policy for plugins to include the following condition when blocking a plugin: "A history of critical security vulnerabilities" In addition, the policy around plugins should be clarified because we no longer use "soft" blocks, we always use click-to-activate blocks which are always superior UI. It's not clear to me whether this policy has an official owner, but Jorge is owner in practice, so I'm going to mark needinfo for him to approve these changes before I actually make them in the wiki.

The final call on popular plugin blocks is up to the Release Management team, so, I think these questions should be directed to them. FWIW, I agree with the policy changes. Effect on user experience should always be considered, of course, since we can't block all of Flash overnight, for example, even if there were security problems.

I concur that this is a fair statement to include in our policy with the appropriate judgement used for scenarios like he mentions in comment 1 - as with our ESR landing criteria there is always some leeway for Release Management to make the call based on several factors including this consideration.

Policy changes published: https://wiki.mozilla.org/index.php?title=Blocklisting&diff=700999&oldid=641991