"Click to play" is actually "Clickjack to play"
riking last edited by
On the heels of the most recent Flash player vulnerability, which seems to exclude Chrome just because they didn't have a sandbox break to spend...
It turns out that Chrome's click to play doesn't actually secure you against Flash running.
Proof of Concept (redirects you to Adobe flash test): http://kitsu.ru/click-to-play-override-iframe.html
Turns out that "Block" gives you what you wanted when you chose "click to play" - you can right click a blocked plugin frame and choose to run it.
Ragnax last edited by
For some added irony: Adobe added a bit of protection to Flash years ago that was meant to prevent certain actions (such as file I/O) unless explicitly initiated via user interaction.