"Click to play" is actually "Clickjack to play"
-
On the heels of the most recent Flash player vulnerability, which seems to exclude Chrome just because they didn't have a sandbox break to spend...
It turns out that Chrome's click to play doesn't actually secure you against Flash running.
Bug: https://code.google.com/p/chromium/issues/detail?id=174963
Proof of Concept (redirects you to Adobe flash test): http://kitsu.ru/click-to-play-override-iframe.htmlTurns out that "Block" gives you what you wanted when you chose "click to play" - you can right click a blocked plugin frame and choose to run it.
-
For some added irony: Adobe added a bit of protection to Flash years ago that was meant to prevent certain actions (such as file I/O) unless explicitly initiated via user interaction.