Click-to-play in Firefox at least is a security feature. It's enabled automatically for known-insecure plugins like old versions of Java and Flash. You can enable it manually by setting a plugin to "Ask to activate" in the Firefox add-on manager: https://blog.mozilla.org/security/2012/10/11/click-to-play-p...

Click-to-play prevents Firefox from running any plugin code without explicit user action. I am 99% certain this is also the case for Chromium-based browsers. Source: I am a Firefox developer and I have worked on the click-to-play code, e.g. http://bugzil.la/899347

>Click-to-play prevents Firefox from running any plugin code without explicit user action. I am 99% certain this is also the case for Chromium-based browsers.

Wrong: https://code.google.com/p/chromium/issues/detail?id=174963

Since people are disagreeing with my comment, I'll add some extra information (apparently I missed the editing time window, but I stand by my original comment). I should note though that I was talking about Chrome (I don't know what the deal is with Firefox).

If you go through the Chrome bug tracker, you can find several instances where Chrome engineers point out that Click-to-Play is not meant to be a security feature, and that the "Block all" setting is what is actually secure. There are several bugs which demonstrate ways around Click-to-Play which are closed as "WontFix". A quick search yields the following quotes from Chrome engineers:

"Yes, this is why click-to-play is designed as a convenience and not a security feature. If you want plugins blocked in a way that cannot be click-jacked, use "Block all," which requires a protected browser interaction (context menu, page action, etc)." [0]

"The "Click to play" setting is not a security measure. If you want to securely block plugins you must use the "Block all" option, which is a bit less convenient than "Click to play," but provides a click-jack resistant, browser mediated interface." [1]

"I'm kicking this out of the security queue because it isn't a security mechanism ... The secure method of blocking plugins is to select "Block all" and right-click to run. Whereas the "Click to play" feature is for convenience and performance." [2]

"It's not a security feature..." [3]

[0]: https://code.google.com/p/chromium/issues/detail?id=176724

[1]: https://code.google.com/p/chromium/issues/detail?id=225636

[2]: https://code.google.com/p/chromium/issues/detail?id=160707

[3]: https://code.google.com/p/chromium/issues/detail?id=414232

I'm sure there are other instances where they talk about it more, these are just the first results I found.

In recent chrome builds, they changed the behavior to right-click->Run Plugin which to my knowledge makes it immune to these attacks.

Er, are you sure about that? That doesn't appear to be the case with Firefox.

He is referring to the fact that in Chrome click to play has no security effect at all - pages can click jack you to activate it.

To quote a Chrome developer: "Click to play is not actually a security boundary. In particular, it has always been subject to click-jacking."

https://code.google.com/p/chromium/issues/detail?id=174963