Shared publicly  - 
 
#TIL that Chrome now has a built-in plugin-blocking feature, so I can uninstall that Flash-block extension.

Settings > Under the Hood > Content Settings... > Plug-ins

I chose "Block all" rather than "Click to play". I can still unblock a particular instance by right-clicking on it and choosing to unblock, or unblock a whole page using the icon that appears on the right side of the address bar when any plugin is blocked. "Click to play" is slightly more convenient, but is theoretically vulnerable to clickjacking attacks. (That is to say, a malicious web site that is exploiting a vulnerability in Flash would merely need to trick you into clicking somewhere on the page to enable the plugin. Tricking you into choosing an option from a context menu is much harder.)

The web is so much nicer with Flash off by default... not to mention more secure.

Note that blocking plugins will break some sites in weird ways, so if a site is mysteriously not working right, you may need to try un-blocking plugins. Don't enable this setting on a non-tech-savvy user's computer.

(Tip found in +Peter Kasting's long post about Chrome security.)
6
2
Kenton Varda's profile photoJeffrey “jf” Lim's profile photoSanjeet Kumar's profile photoFilip H.F. “FiXato” Slagter's profile photo
25 comments
 
The user-interface still sucks though: the right-click should also provide the option to selectively allow that particular plugin, not only the obscure address-bar icon. Also, the address-bar option being a catch-all, does not allow for selectively, say, allow the DivX plugin, but disallow the flash plugin.

But thanks for the info, I didn't know about the address-bar icon feature so was using the regular flash-block.
 
Thanks for informing me of this feature. Also, for me, right clicking on the disabled plugin icon does bring up an option to run just that instance of the plugin, much like Flashblock.
 
Henner, you can globally enable/disable particular plugins regardless of click-to-play/block settings by using chrome://plugins .
 
+Peter Kasting Yes I know, but this doesn't mean that I can selectively per site do this. It is all or nothing.

Another thing I found that makes it less useful than the flash-blocker: the configuration is per site, not per say flash-path used. That means, that I have to enable flash on every site that has a youtube video embedded. Which is wrong: first, I don't want to enable the embedded youtube player every single time and second I don't want to enable flash globally on certain sites because I do want the youtube player, but I don't want the flash-ads.

Ah, well, back to flash-blocker.
 
Sure. We build features in Chrome based on trying to be simple and broadly useful. It is OK in our book to expect super-power-user edge cases like trying to whitelist on a per-Flash-path basis to require extensions to be supported.
 
Been using this method for plug-in and Javascripts for some time and it is what kept me from going back to using Firefox with NoScript extension.
Related to this usage, I wish there was an easy method to temporarily allow scripts/ plug-ins for a specific site. Been thinking of writing an extension for that...
 
Use the "run all this time" options in the dropdowns for the icons that appear in the address bar when something is blocked?
 
What I want is some sort of detailed cross-site permissions. When the main page is pointing at a random site, I never, ever want to talk to Facebook in any way. No cookies, no web bugs, no javascript, no nothing. I would prefer that even links to Facebook not work without manually intervening somehow. And I want this even if it's because Facebook is at the end of a series of redirects.

On the other hand, when Facebook is in the URL bar, I'm just fine with Facebook cookies, Javascript, what have you.
 
+Eric Hopper - That sounds like something you could do in an extension fairly easily.

FWIW, my approach to sandboxing Facebook is to use a separate Chrome profile for it. So for the vast majority of my web browsing, Facebook thinks I'm just some person without a Facebook account. I suppose they could still be correlating my activities across sites but I don't think I care about that.
 
+Eric Hopper - I don't know for sure, but I would be extremely surprised if they weren't kept separate.
 
Eric, the permission model built into Chrome is one of checking the main site. So if you "allow" (for plugins, for example) for facebook.com, that means facebook.com and anything it loads is "allowed" but other sites who e.g. load facebook.com resources in iframes are not "allowed".

If you want even more control, like an explicit main frame x iframe permission model, you'll need to go to extensions.
 
+Peter Kasting, "run all this time" is applicable only for plug-ins. There's nothing equivalent for temporarily enabling Javascript. Essentially, that means while I can see the jazzy animation of a Flash plug-in, the functionality (like mouse-click action) is still missing.
 
It always amazes me that some people block Javascript and manage to get by...
 
I block most Javascript in Firefox (which I still frequently use). I very selectively unblock it as needed to make the site run.
 
Yeah, blocking Javascript at all just kind of boggles my mind. It buys you pretty much nothing security-wise and is guaranteed to break practically everything everywhere in strange ways.
 
If so, why do browsers provide the option to disable Javascript?
 
The point is to add exceptions for sites you trust and visit often. Like firewall rules, things are blocked unless specifically allowed by a rule
 
+Peter Kasting - It buys me at least one very important thing from a security standpoint. Javascript is no longer allowed unfettered access to my CPU.
 
+Eric Hopper - Interesting point, but how many web sites that spend a lot of CPU on Javascript work at all without Javascript?
 
+Kenton Varda - chuckle Well, some of them work after a fashion, though generally not very well I will agree. Sometimes though, it's not the site's Javascript that's the problem.
 
Insidious level number 1 is having to find this out in order to enable the plugin.

Another whole new level of insidious, though: that the "pattern" should be an exact match?!! (or else somebody prove me wrong here). So for example, "youtube.com" will NOT work. Neither ".youtube.com". You have to type in "www.youtube.com", ARGH! So why is this called a "pattern", exactly?
 
Thanks, Kenton. Works - but this is really not any type of standard "pattern" that i've seen anywhere...
Add a comment...