Click to play, it’s a way of forcing plugins in your web browser in to gaining consent from you in to running. Why is this important? Well, malicious web pages can do a lot with them. Adobe Flash Player, the main one I’m about to talk about, has had a very troubled security history and is generally regarded as one of the most vulnerable bits of software out there. Then why do we want it at all? Well, Flash Player is used for a lot of streaming websites and for all kinds of media and music playing. Though if you’re using Chrome, not the majority of YouTube. Youtube now uses just HTML5 video for anything that it can convert to the right format. See YouTube’s HTML5 page
So rather than just disabling it out right. Or hoping that you won’t accidentally land on page that’s trying to exploit a flaw in the software somehow, there’s a happier middle ground that trades a tiny bit of slickness of use for a lot of security. Click to play works by requiring you to right click on a flash element and pressing “play”, that’s it. Then it loads that individual plugin and it continues as per exactly normal. All this means is that sites cannot surprise you with Flash elements.
How vulnerable is Flash? Just how dangerous is it? Well it’s in the top 25 for “Most vulnerabilities ever”. It’s heavily used for Watering hole attacks and Spear Phishing. It, along with Java, are the two most vulnerable and susceptible elements of modern web browsing, with the browser itself a distant third!
This is how Adobe’s Flash Player page looks with click to play enabled.
{% img center /images/ctp/adobe_ctp.png %}
Then you just right click on it, go to “Run this plug-in”
{% img center /images/ctp/adobe_rctp.png %}
And boom, there’s your Flash content.
{% img center /images/ctp/adobe_clicked.png %}
To enable this on Chrome, you just need to change the content settings, which thankfully Chrome make pretty easy.
First just go to Preferences (or press ⌘ +,) to get to the settings page.
{% img center /images/ctp/settings.png %}
Then type in “click to play” in the settings search. Chrome should point you towards where it’s found that setting. Click on “Content settings…"
{% img center /images/ctp/foundclicktoplay.png %}
Scroll down until you get to “Plug-ins”
{% img center /images/ctp/contentsettings.png %}
Then for “Plug-ins”, select “Click to play”.
{% img center /images/ctp/contentsettingsclicktoplay.png %}
Then press “Done”.
{% img center /images/ctp/doneanddone.png %}
Now you should be peachy!
Yeah, exceptions happen, but they’re lovely and easy to do too. Say for Spotify, you need to add “play.spotify.com” as it loads a hidden Flash element.
To do that you just go back to “Content settings” as above, then go to “Manage exceptions…”
{% img center /images/ctp/gomanageexceptions.png %}
Add in ‘play.spotify.com’ and press return. Change Behaviour to “Allow”.
{% img center /images/ctp/add_spotify.png %}
Then just hit done (and then done again), and you are… done!
{% img center /images/ctp/hitdone.png %}
Exceptions are so rare, in my experience, that you shouldn’t have to do this. (and use the native Spotify client as it’s better…).
I’d suggest going to This classic song to test if YouTube is still working for you.
Then head to Adobe’s version page to test if it’s working, it should look like this, with each of the grey elements which you can now click to play!
{% img center /images/ctp/adobe_ver.png %}