[a1a]

I do not think this is a good solution. This is once again just smashing another security trade-off in the face of the end-user. Once the user is responsible they can be blamed and the browser is considered secure with stupid users.

If the developers at mozilla can't verify the security of the applet, how on earth would my grandmother be able to?

Note: This is not an attack against mozilla in particular, almost all vendors does this (e.g. "antivirus: wanna allow suspicious file?" or "browser: invalid certificate". These questions are asked as if everyone is a computer scientist. We developers need to start formulating these questions so they can be answered by a normal person.

Note 2: I guess it's better than doing nothing at all, since it might stop some drive-by attacks.

[revasm]

The main security benefit of click-to-play plugin schemes is not to question the user about the security of an object, which is unknown in most cases anyway, but to prevent accidental drive-by loading and other annoying (and risky) usage. Clicking an overlay to run a plugin should be as natural as clicking on a video to begin playback.

[pwnna]

Yes. Drive-by is big deal imo.

[prteja11]

I think this feature will protect users on websites where java applets load inconspicuously. With this feature user wouldn't click on the blocked plugin/applet because they don't have a use for it. This is not the solution that will end all our problems but hey this is one step closer and I'll take that!

[zobzu]

its actually pretty good since drive by are the most common attacks. grandma won't click the button if she doesn't care about the content