cancel
Showing results for 
Search instead for 
Did you mean: 

How to allow Java on trusted sites

Support will end for all NPAPI plugins except for Flash in March 2017, when Firefox version 52 is released. See this compatibility document and this article for details.

Beginning with Firefox version 52, support has ended for all NPAPI plugins except for Adobe Flash. See this compatibility document and this article for details.

Firefox has stopped the Java plugin from running automatically because of security issues. However, you can still activate Java on trusted sites. We'll show you how.

Warning: You should only activate Java on sites you trust.

Activate Java once

When you see the "Activate Java" message, simply click it to load the Java content normally.

In-content Java prompt

If there is no visible area to activate Java content in the webpage or if clicking on the "Activate Java" message doesn't work, look for the plugin icon in the address bar. Click on it and, in the message panel that opens, choose Allow Now to enable Java content temporarily.

Activate Java once 29 - Win
Note: The next time you visit the site or any other that uses Java you will see this message again.

Always activate Java for a site

If you have a trusted site that uses Java and you need to use that site often, you can make Java work normally on just that website.

  1. Click the plugin icon in the address bar and a message panel will open.
  2. In the message panel, click Allow and Remember.
Activate Java always 29 - Win

Now, whenever you visit this site, the plugin will automatically run and you won't get the "Click to activate" message.

Java security prompts

After activating Java for a site you may see a security prompt, asking you to confirm that you want to run Java, or a message such as "Application Blocked by Security Settings", with no option to run Java. These security prompts and messages come from Java itself, not from Firefox, and depend on the website and your security settings in the Java Control Panel.

Java confirmation

For more information, see these Java Help pages:

Customize this article

Firefox

Firefox for Android

Firefox for iOS

Firefox OS

Thunderbird

Version History
Revision #:
3 of 3
Last update:
3 weeks ago
Updated by:
 
Comments

An "Update Java" section is needed at the beginning of the article, based on the release of Java 7 Update 11. Ref: https://blogs.oracle.com/java/entry/java_vulnerabilities_addressed

Related article discussion:

See also: Bug 829111 comment 32:


alex_mayorga 2013-01-13 15:08:10 PST

Oracle has released a fix[1], 7u11, but seems like this block is overreaching based on user comments[2] and still blocking when updated.

Should this be reopened?

  1. https://blogs.oracle.com/security/entry/security_alert_for_cve_2013
  2. https://blog.mozilla.org/security/2013/01/11/protecting-users-against-java-vulnerability/comment-pag...

P.S. I looked at link #2 and the comments probably have to do with another bug introduced in Java 7 Update 10, which will be fixed in Java 7 Update 12. Ref:

The Java 7 Update 11 release notes refer to bug 8005410 under Known Issues, Area: deploy Synopsis: Problems with Registration of Plugin on Systems with Stand-alone Version of JavaFX Installed

Never mind ... see https://blog.mozilla.org/security/2013/01/11/protecting-users-against-java-vulnerability/
Quote:
Update – January 18, 2013
Mozilla is extending Click to Play for Java 7u11 due to reports of exploit code available for 7u11 and information that all elements of the original Java bug have not been fully addressed by Oracle in the 7u11 patch.

Updating to Java 7 u11 changes the default security level to High, which results in a second "Security Warning" alert after activating java. Should we add something about this?

A Windows user posted this screenshot in this support forum thread:

cor-el posted this reply:


Oracle also has tightened the security setting in Java.

   http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html 

The default security level for Java applets and web start applications has been increased from "Medium" to "High". This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the "High" setting the user is always warned before any unsigned application is run to prevent silent exploitation.


Oracle's Java Control Panel documentation has more information:

I've added a "Note" about the second Java "Security Warning" to http://kb.mozillazine.org/Java#Java_content_requires_click-to-play_activation

This is still listed as a hot topic.. Should we still keep it as one? Unless people haven't been updating Java isn't blocked anymore. I suggest to de-list it as a hot topic.

I agree that this article should no longer be a "Hot Topic" but I remember that changes to "Hot Topics" used to be discussed in the weekly KB meetings. The last meeting etherpad is 2013-08-08 (I can't tell if that meeting took place and I don't see a new one set up for next Thursday).

I would either bring it up in the SUMO Monday meeting, ask in the contributors forum, or else PM Michael, Tyler, or another admin. Adding to or removing articles from Hot Topics is really something that should be discussed beforehand.

I got a hold of Tyler via IRC. He suggested to keep it as it still gets a large amount of users to it. Looking at the knowledge base dashboard show's it at number 12. I say we keep watching the knowledge base dashboard until it drop to about #20 then we can consider it being no longer a hot topic?

I don't think that an article's most-visited rank is a reason to add or remove it from the Hot Topics list but in any case, I think it's best to leave this up to admin.

SHANKHA71

if u have any problem with the java u can go to java site www.java.com and instal a new version or upgrade or reinstall it automatically can see you tube or any other video sites . if this problem persists more also check ur adobe air , flash player , shockwave player .............

then going through the options of firefox browser see which one is enabled or disabled click and make right through but the browser takes it automatically if it gets a higher version of the java apart from ur machine software version i mean the java software

Copied from my post today in the Firefox 24 Release / Issues / Status thread /forums/contributors/709626#post-54713


Tylerdowner said

Hey everyone, just a quick FYI that in Firefox 24 and later all versions of Java forever will be Click to Play blocked. This is because of a variety of constant security and stability issues that have been plaguing Java for years. Users can use the click to play dialog to enable Java on a per-site basis from now on. Why do I have to click to activate plugins?

How to allow Java on trusted sites is on the /products/firefox Hot Topics list and has been for some time. Only thing, the Always activate Java for a site section and screenshot for the drop-down needs updating. It now says "Allow Now" and "Allow and Remember".

Here's what I see in Firefox 24 on Windows 7 with the latest Java 7 U45:

Fx24JavaBlock [[Image:Fx24JavaBlock]]


P.S. Maybe use this cropped screenshot in the article?


Fx24AllowJavaDropdown [[Image:Fx24AllowJavaDropdown]]

Another Firefox user posted about allowing Java on pogo.com in the Get community support Discussion forum, in this thread. He also suggested that this article be updated, since the options to enable the plugin are now "Allow Now" and "Allow and Remember". I referred him here, if he had anything to add.

It might also help if the article mentioned that, when loading a Java applet, there may also be Security warnings that come from Java, which have nothing to do with Firefox. Here's one I got for Yahoo Games using the latest Java 7 U45 on Windows 7:

JavaSecurityWarning [[Image:JavaSecurityWarning]]

i've updated the most basic changes to reflect the current situation in firefox 24+.

Thanks for updating this, philipp. Only thing, you have to change {for =fx23} since that only shows the content for Firefox 23 but not for any other versions like Fx17 (Firefox ESR). You have to use {for not fx24} to show it for Firefox 23 and below. How to use For.

I would have changed it myself but when I go to edit your revision it says you're still editing it.

thanks alice, i was not familiar with the correct for-handling... also i don't know why it said, i was still editing it (i wasn't), so i've filed a new revision.

One more thing, the "Activate Java" message might only say "Activate Java(TM) Platform" for Windows. The plugin is named Java Plug-in 2 for NPAPI Browsers (Mac OS 10.6) or Java Applet Plug-in (Mac OS 10.7 and above) according the Use the Java plugin to view interactive content on websites article. I made a new revision to just call it the "Activate Java" message.

I'll let this stay pending a little while to give admin a chance to review, since it's a high-profile article. In the meantime I made a new revision to Forum Response - Activate Java based on your edits and added it to common forum responses. Thanks.

EDIT: I approved the latest change and marked it ready to localize.

For the record, here's the bug that made even the most current version of Java Click-to-play due to security issues:

  • Bug 914690 - In Firefox 24 and following, mark all versions of Java as unsafe

I added this article to the "Need changes" list based on the possibility that the Java 7 U 45 block may be reverted. See https://bugzilla.mozilla.org/show_bug.cgi?id=914690#c65 dated 10-22-2013

Also need to review for Mac OS ... and change wording? Mac OS X 10.6 uses Java 6 which is still being updated by Apple. The latest Java 6 is not being blocked on Mac OS X 10.6. I tested it on an iMac running OS X 10.6.8 with the latest Java 6 update, installed via Apple's Software Update.

An update to Java 6 version 1.6.0_65 was released by apple on Oct 15 2013 Ref: http://support.apple.com/kb/HT5946 (OS X 10.6) http://support.apple.com/kb/HT5945 (OS X 10.7 and above). OS X 10.7 and above may install and use either Java 6 from Apple or Java 7 from Oracle. * Ref: http://java.com/en/download/faq/java_mac.xml


* EDIT:  

http://support.apple.com/kb/HT5945 About Java for OS X 2013-005 dated Oct 15 2013 (which I linked earlier and should have read more carefully!) says,

This release updates the Apple-provided system Java SE 6 to version 1.6.0_65 and is for OS X versions 10.7 or later. This update uninstalls the Apple-provided Java applet plug-in from all web browsers. To use applets on a web page, click on the region labeled "Missing plug-in" to go download the latest version of the Java applet plug-in from Oracle. 

See also http://javatester.org/index.htm which says,

Oct. 17, 2013: OS X Snow Leopard (10.6) clarification: I have seen it reported twice on websites with many readers that Apple does not allow Java 6 to run applets (Java programs embedded in web pages, such as the Version page on this site). This is not true on OS X 10.6. It is true on OS X 10.7 and 10.8. I have personally verified that Java 6 Update 65 runs applets just fine on Snow Leopard.

I also found http://support.apple.com/kb/HT5559 Java for OS X 2013-005: How to re-enable the Apple-provided Java SE 6 web plug-in and Web Start functionality. (It seems using the Java 6 plugin for Java applets on Mac OS X 10.7 and above is possible, but complicated.)

Need to update this article since the blocks to current versions of Java will be removed. See https://bugzilla.mozilla.org/show_bug.cgi?id=914690#c80


Jorge Villalobos [:jorgev] 2013-10-23 08:40:43 PDT

The blocks have been reverted. It'll take roughly a day or two for most systems to update their blocklists and have Java working again.

Status: REOPENED → RESOLVED Resolution: --- → WONTFIX


Another update is needed since the changes made in bug 914690 will be reverted (see comment 80). I started a new discussion thread here:

so just add back the intro we had before?: "In order to protect you, Firefox has stopped some versions of the Java plugin from running automatically because of security issues."

The original intro would be OK:

In order to protect you, Firefox has stopped some versions of the Java plugin from running automatically because of security issues. However, you can still use Java on trusted sites if necessary. We'll show you how.

cor-el said

See also https://groups.google.com/forum/?fromgroups=&hl=en#!topic/firefox-dev/WdHNwlV0bBk

Thanks for the above link to the discussion, Status of click-to-play plugins in Firefox 24/26 started by Benjamin Smedberg on Oct 29.

On whether or not current Java versions will be CTP blocked in the future, the answer is yes, eventually, along with other plugins. This is from the original bug that initiated the now reverted block for Firefox 24:

https://bugzilla.mozilla.org/show_bug.cgi?id=914690#c83


Benjamin Smedberg [:bsmedberg] 2013-10-23 09:12:41 PDT
We certainly will be making java CtP by default when the UI is fixed (along with all other plugins). Whether or not we want to use the scarier UI is still an open question.
In any case, I don't think it makes sense to re-use this bug, given its size already. When we decide to re-block, I'll file a new bug and comment in this bug to link them up.

See also this recent blog post, https://blog.mozilla.org/futurereleases/2013/09/24/plugin-activation-in-firefox/ Quote: The one plugin not affected by this change is Flash, which will remain enabled by default.

I'm watching these open CTP bugs:

  • Bug 932446 - Vulnerable Click-to-activate in-content UI should look clickable
  • Bug 932854 - Consider showing a notification bar for hidden plugins

Looks like click-to-play will be the default action for all plugins except for Flash, in Firefox 26:

http://www.mozilla.org/en-US/firefox/26.0beta/releasenotes/
Quote: All plug-ins, with the exception of recent Flash plug-ins, are defaulted to 'click to play

Bug 899080 - Make plugins default to click-to-play

The Java Security prompts can confuse users - see /questions/979135#answer-508060 - and you can get these prompts even after activating Java.

I added a paragraph on Java security prompts to the end of the article with a link to http://www.java.com/en/download/help/appsecuritydialogs.xml

The Firefox 26 release notes at http://www.mozilla.org/firefox/26.0/releasenotes/ now say this:
Quote: All Java plug-ins are defaulted to 'click to play'

Reason for limiting click to play to Java by default given in Bug 941137 - Alter plugin defaults for beta/release until whitelist strategy is defined


Benjamin Smedberg [:bsmedberg] 2013-11-20 11:04:06 PST
For Fx26 and probably 27, we have decided to hold off turning on click-to-activate for all plugins. This will give Chad Weiner a chance to define a whitelisting strategy for plugin vendors who are making a transition to HTML5 technologies but need additional time to complete that transition. So for now, we're going to flip the plugin default state to activated, and explicitly change Java to be click-to-activate.
RootsofUnity

Hello! I decided to register as a contributor specifically to help with this article.

I believe this link should be included in a "this didn't work try this" section for this article http://kb.mozillazine.org/Java#If_the_Java_plugin_does_not_appear_in_the_Add-ons_Manager_even_though...

However, as I'm new and haven't edited anything before, I thought I'd create a thread making sure this inclusion was ok.

here's the steps of how I came to find the correct answer:

0. I was setting up an account for the community college I was recently admitted to. Their own system ran a test to see if java was installed (as it's apparently needed, what year is this?) I find this article by going to the firefox button > help > help;

using the page's built in search box (top right) search 'java in firefox 26' (as i've heard something about it being disabled)

this help article is the first result I click on it and follow the steps, and notice i'm not even getting the click-to-play notice (using java.com's Do I have java? link

1. I search google with: how to enable java in firefox 26

get a bunch of non-related stuff about enabling javascript

so change the query to: how to enable java in firefox 26 -javascript

and find this helpful thread as the first result link

2. Alice over on mozillazine linked to the page detailing 'java in firefox 26' I was originally trying to find. link

3. I enable through java's control panel 'java for mozilla browsers' and the rest is history!

3 I mixed up my documents (I fixed this for both my 32-bit netbook and 64-bit PC). (I keep a log of my troubleshooting adventures.) My actual solution was to download 32-bit java for 32-bit firefox on my 64-bit PC. The kb article at mozillazine could also be updated a bit to reflect that; as I had previously downloaded 64-bit java for my 64-bit PC for indie games. Of course 32-bit firefox wouldn't use 64-bit java!

So with all that being said; Would it be fine to put a link to that specific heading over at mozillazine? or is there some wiki rivalry I don't know about. And why does mozillazine's wiki/forum system seem to be so separate from the rest of the support system? Are the two even related? And why is this font so beautiful?!

Cheers!

~RootsofUnity

RootsofUnity said

I believe this link should be included in a "this didn't work try this" section for this article http://kb.mozillazine.org/Java#If_the_Java_plugin_does_not_appear_in_the_Add-ons_Manager_even_though...
<snip>
so change the query to: how to enable java in firefox 26 -javascript and find this helpful thread as the first result link

2. Alice over on mozillazine linked to the page detailing 'java in firefox 26' I was originally trying to find. link 3. I enable through java's control panel 'java for mozilla browsers' and the rest is history! So with all that being said; Would it be fine to put a link to that specific heading over at mozillazine? or is there some wiki rivalry I don't know about. And why does mozillazine's wiki/forum system seem to be so separate from the rest of the support system? Are the two even related? And why is this font so beautiful?! Cheers! ~RootsofUnity

I'm the same Alice who posted a reply in this MozillaZine forum thread (I also worked on MozillaZine's Java KB article) . Many of the original SUMO (SUpport.MOzilla) articles were based on those from the MozillaZine KB. For some background, see http://forums.mozillazine.org/viewtopic.php?f=11&t=619401

Anyway, I agree that the content included in http://kb.mozillazine.org/Java#If_the_Java_plugin_does_not_appear_in_the_Add-ons_Manager_even_though... should be added to a SUMO KB article on Java issues but I think it belongs under the "Troubleshooting" section of the Use the Java plugin to view interactive content on websites article.

We should also add a link to the Use the Java plugin to view interactive content on websites article in this article, probably in the Intro, for users who need more help with Java.

I'll see if I can get to it when I have the time. You (or anyone else) could also try making the revision if you feel up to it.

RootsofUnity said

3. I enable through java's control panel 'java for mozilla browsers' and the rest is history!

3 I mixed up my documents (I fixed this for both my 32-bit netbook and 64-bit PC). (I keep a log of my troubleshooting adventures.) My actual solution was to download 32-bit java for 32-bit firefox on my 64-bit PC. The kb article at mozillazine could also be updated a bit to reflect that; as I had previously downloaded 64-bit java for my 64-bit PC for indie games. Of course 32-bit firefox wouldn't use 64-bit java!

I've updated http://kb.mozillazine.org/Java#If_the_Java_plugin_does_not_appear_in_the_Add-ons_Manager_even_though... to add the following:


I've also added a thread to the Use the Java plugin to view interactive content on websites article discussion:

Thanks for posting this and for updating the information.

RootsofUnity

Thanks for keeping me posted Alice!

I'll eventually get around to making some minor edits of my own (once I figure out wikitext and whatnot :P )

I agree that a link should be included in the beginning of how to enable java if its been blocked article that points to the general overview of java here on SUMO (use the java plugin to view interactive content)

I appreciate the links regarding copyright between mozillazine and SUMO. I noticed that SUMO's article on java is attributed the way mozillazine wants. And this further backs up putting in a link to 'use the java plugin to view interactive content' in the beginning of this article. (as the attribution side of the problem is already taken care of)

I'll probably get around to submitting an edit in the next few days.

RootsofUnity said

I'll probably get around to submitting an edit in the next few days.

That would be great. Only thing, when you're ready to make an edit, check the article History to see what other revisions may be pending. Those would need to be reviewed or incorporated into any new edit.

Thanks again.

RootsofUnity

I really appreciate you updating all those articles; and for including that link at the top of the article.

I'm going to learn wikitext in my freetime; thanks to this little experience. :)

Any thoughts on renaming this article from "How to enable Java if it's been blocked" to something like "How to allow Java to run on trusted sites"?

Starting in Firefox 26, all versions of Java are "Click to Play", meaning the default action for the Java plugin in the Add-ons Manager Plugins list is now "Ask to Activate" instead of "Always Activate", even for the current Java version, as shown in this screenshot for Java(TM) Platform SE 7 U51. However, you can change the default action to "Always Activate", at least for the latest version of the plugin.

In other words, even Java plugins that are not outdated or vulnerable will need to be activated, unless the default action is changed to "Always Activate" in the Add-ons Manager. We currently link to this article from Use the Java plugin to view interactive content on websites which I've updated to try to take that into account, but we really need new screenshots to allow for the fact that ALL Java versions are now click-to-play by default. I also have a pending edit to that article to explain the new "Enable" options.

Eventually, all plugins (except for Flash) will need to be activated by default, not just outdated plugins, but that should be covered in Why do I have to click to activate plugins?. AFAIK Plugins that are actually CTP blocked, for example, the CTP blocked Java Deployment Toolkit plugin, only include two options, "Ask to Activate" and "Never Activate", as shown in this screenshot.

Anyway, here is what I see in Windows 7 when I go to the Java test page at http://www.java.com/en/download/help/testvm.jsp and click the "Verify Java Version" button, then click on the "Activate Java" block:

[[Image:Fx26Win7-AllowJava]]
Fx26Win7-AllowJava

More info:
Copied from my Dec 10, 2013 post in /kb/how-to-enable-java-if-its-been-bl.../5067 [Fx26] Java will be CTP by default (was: Status of CTP block for current Java versions)

AliceWyman said

The Firefox 26 release notes at http://www.mozilla.org/firefox/26.0/releasenotes/ now say this:
Quote: All Java plug-ins are defaulted to 'click to play'

Reason for limiting click to play to Java by default given in Bug 941137 - Alter plugin defaults for beta/release until whitelist strategy is defined
Benjamin Smedberg [:bsmedberg] 2013-11-20 11:04:06 PST
For Fx26 and probably 27, we have decided to hold off turning on click-to-activate for all plugins. This will give Chad Weiner a chance to define a whitelisting strategy for plugin vendors who are making a transition to HTML5 technologies but need additional time to complete that transition. So for now, we're going to flip the plugin default state to activated, and explicitly change Java to be click-to-activate.

Copied from my Dec 10, 2013 post in /forums/contributors/709827 Firefox 26 Release / Issues / Status

AliceWyman said

Tyler Downer said
Desktop
  • CTP. All versions of Java are going to be click to play blocked in this version of Firefox. This version of the blocklist should e better than when we attempted it a few weeks ago now that we've had some time to tweak the UI. Of course this is still going to be a major change and lots of users will be impacted, but hopefully the UI for the blocklist will do a better job of informing the user.

Click-to-play by default is still coming for all plugins but the decision was made to limit the CTP block to Java, for now. Ref:

  • Bug 941137 - Alter plugin defaults for beta/release until whitelist strategy is defined

Related KB article and canned response (need tweaking?):

Since this article is currently titled "How to enable Java if it's been blocked", maybe we should add more information about Java security blocks?

Here is what I recently added to MozillaZine's Java article, http://kb.mozillazine.org/Java#Java_security_prompts


If you see an "Application Blocked" dialog with a message such as Your security settings have blocked an untrusted application from running, then Java has blocked the content for security reasons. Starting in Java 7 Update 51, Java applications and applets with certificates from an untrusted source (self-signed) and those with no certificate or missing application Name and Publisher information (unsigned), are blocked by default. Sites that would normally be blocked based on your Java Security settings can be added to the Exception Site list via the Java Control Panel, as explained here and in the Java Help page How can I configure the Exception Site List?. The Java Help page Why are Java applications blocked by your security settings with the latest Java? includes steps to Add URLs to the Exception Site list and mentions some common Java applications that are now blocked. For more information and screenshots, see this wiki.albany.edu article and this wordpress article.


Related support forum threads:

Related discussion:

Copied from my post today in the above thread:


These Java test pages are from the "Testing Java" section of the Use the Java plugin to view interactive content on websites article.

These pages now show an "Application Blocked" error in Java 7 Update 51 after activating Java. Here's the error for "BrowserSpy": BrowserSpyJavaAppBlocked

I didn't want people getting an "Application Blocked" Java error when using these test links so I removed them from the Use the Java plugin to view interactive content on websites article and approved my revision. That leaves only the Java test page at java.com for testing Java.


I added more information to the "Java security prompts" section based on the above and approved my revision.

I renamed this article "How to allow Java on trusted sites".

Coce

Hi, this article still contains information on Firefox 23 and older ({for not fx24}), although this version is no longer selectable from the version picker. I therefore suggest to remove this section.

– Michael (Coce)

Hello, i think we don't yet dropping support for firefox 23 and earlier !

thanks

The #control%20panel part in http://www.java.com/en/download/help/jcp_security.xml#control%20panel seems to do nothing.

scootergrisen said

The #control%20panel part in http://www.java.com/en/download/help/jcp_security.xml#control%20panel seems to do nothing.

Thanks for noticing that. I removed the "Java Control Panel" hypertext link to that page and added it , along with links to the other Java Help pages, to the end of the section.

This came up in the support forum