Once upon a time I was working with a Windows user concerned about security. My first suggestion was to block Flash from running automatically in his Chrome browser.
As documented on my FlashTester.org site, Adobe's Flash Player is a bug magnet. As of October 16th, Adobe had fixed 203 Flash bugs in 2015 which calculates out to 5 bug fixes a week. By Halloween, it is likely there will be 10 unpatched bugs in Flash. Trick or Treat.
The cost of security is always inconvenience, and it's hard to judge how much hassle someone will put up with for added security. So we did an experiment.
I set Flash to not run automatically (Settings -> Show advanced settings -> Content Settings button -> Plugins -> radio button set to "Let me chose when to run plugin content" ) and we visited his favorite websites to judge the hassle factor.
But there was no hassle, Flash continued to run automatically.
I shut down the browser and restarted it. Still, Flash ran automatically on every web page we visited.
I double checked that the Plugins setting was "Let me chose when to run plugin content", and it was.
As I see it, the fault is a poorly designed interface for configuring which plugins run automatically and which do not.
As a long time Chrome user, I took the "Let me chose when to run plugin content" option to mean that no plugins run automatically. But that is not what it means.
Chrome no longer has an option to prevent all plugins from running automatically. Neither does Firefox. Safari, on OS X Yosemite, does (Safari preferences -> Security pane) and Chrome used to (it was called Click-to-play back in the day). According to this forum posting, the option was removed in April 2015.
What "Let me chose when to run plugin content" really means is that Chrome will check the individual plugin permissions on the Plugins page (chrome://plugins) to determine which plugins need manual approvals. That's why there is a blue "Manage individual plugins.." link.
On the Plugins page (below) individual plugins can be "Always allowed to run".
On this particular computer, for whatever reason, Flash was configured to always run automatically, something I missed at first. In my defense, it is easily overlooked.
This is not a Windows thing, the browser works the same on Chrome OS and OS X.
My oversight was due to a single concept, limiting the plugins that can run automatically, being configured in two separate places. As soon as someone selects "Let me chose when to run plugin content", Chrome should present a list of all the plugins that clearly shows which ones will run automatically and which ones will not. All the options for controlling plugins should be visible in one place.
That said, I would also like a new option to prevent all plugins from running automatically. Plugins have morphed from gee-wiz things that enhanced web pages to security concerns. My Chrome wish list is:
- Run all plugins automatically
- Run no plugins automatically
- Run just the plugins that I specify automatically
- Run just the plugins that Google thinks are important automatically
The last option is currently the default. It was introduced fairly recently in, I believe, an attempt to block Flash ads. Google currently calls it "Detect and run important plugin content."
At the least, Chrome could do some extra checking. When, on the settings page, someone selects "Let me chose when to run plugin content," the browser should issue a warning about any plugins that are set to run automatically.
Firefox handles plugins very differently. It does not have a global setting at all, each plugin is individually configured to: always run, never run or prompt the user before running. That works for me too.
Both Chrome and Safari support website exceptions. That is, a plugin is assigned a default behavior, but certain websites can be configured as exceptions to the rule. To configure exceptions in Chrome, click the gray Manage Exceptions button (shown in the first screenshot above).
It is not at all clear, however, if the Chrome website exceptions override either the global rule or the per-plugin settings. The linked documentation (Manage exceptions) is useless since its generic for all types of exceptions. Google has no specific documentation on plugin and/or extension exceptions.
The contrast with Safari on OS X Yosemite is stark. The Safari preferences make things very clear. Each Safari plugin has a default state; it can be allowed, blocked or set to ask the user. From this starting point, you then configure websites you want to be exceptions to the default rule, and everything is in one place.
Finally, we have the Chrome plugin exceptions written in Klingon, as shown below in a screen shot from Chrome OS (I have not yet seen this on Windows or OS X).
Really Google? Is the name of the software none of our business? And I say "software" because, although this is the Plugins exceptions window, clearly we are seeing rules for extensions (chrome://extensions/) rather than plugins (chrome://plugins/). Safari on OS X does not mix apples and oranges.
Few people who haven't read to the end of this blog will be able to make much sense of the hostname pattern rules shown above. You need to know the secret handshake, which is to go to the Extensions page and click on the checkbox for Developer mode. This causes Chrome to display the ID string for the installed extensions. Then, you can manually decode the website exception rules.
Clearly, Chrome has some catching up to do. Both Firefox and Safari make it much easier to control plugins and extensions.