How to enable Click-to-Play in Adobe Flash

One of the best ways to protect yourself against criminals exploiting vulnerabilities in Adobe Flash is to enable "Click to Play".

Click-to-Play prevents Flash elements from being rendered in your browser unless you give specific permission by (you guessed it) clicking.

Flash blocked in Chrome

Enabling Click-to-Play for Flash in Internet Explorer

Click the gear icon on Internet Explorer’s toolbar and select Manage Add-ons.

Select Toolbars and Extensions, and choose Show All add-ons. Locate the Shockwave Flash Object plugin under Adobe Systems Incorporated. Double-click on it, and then click Remove All Sites to remove the default * (which allows all websites to run Flash).

Enabling Click-to-Play for Flash in Firefox

The simplest method is to install the Flashblock add-on.

Alternatively, Type about:addons in your browser bar (where you normally type in website addresses). Press <return>. Click on Plugins. Find "Shockwave Flash" in the light of plugins, and choose Ask to Activate in the dropdown box.

Enable Click to Play for Flash in Firefox

Enabling Click-to-Play for Flash in Opera

Click the Opera menu button, choose Settings, and select Websites. Enable the Click to play option under Plug-ins.

Opera Flash Click to Play

Enabling Click-to-Play for Flash in Safari

Your first option is to install a Safari extension.

Mac expert Kirk McElhearn recommends the ClickToPlugin extension which blocks Flash and other media plugins from running until granted permission.

If, however, you prefer to only block Flash, try its sister extension the imaginatively-named ClickToFlash.

Alternatively, for a solution which involves no extensions, go to the Preferences pane in Safari, and select the Security icon. Manage Website Settings to the right of Internet plug-ins.

Safari Click to Play

Select the Flash plugin from the list, click the When visiting other websites box, and select Ask.

Safari Click to Play for Flash

Enabling Click-to-Play for Flash in Google Chrome

Click Chrome’s menu button and select Settings to open the Settings page. Click Show advanced settings, click Content settings under Privacy, scroll down to Plug-ins, and select Let me choose when to run plug-in content.

chrome setting

Please note that you need to check the plugins page (chrome://plugins) to make sure no plugins are configured to run automatically. Read Michael Horowitz's excellent article for ComputerWorld for more details of this.

Of course, it goes without saying, that when Adobe does release a fixed version of Flash be sure to install it at your earliest opportunity. (And make sure you get it from Adobe's own website, rather than scammers who might be trying to fool you into thinking you're downloading the real deal)

Stay safe folks.

Tags: , , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , ,

4 Responses

  1. Bob

    June 30, 2015 at 10:52 am #

    I've had this enabled for ages.

    Not only does it enhance privacy and security but it also stops those pesky flash adverts that start playing as soon as you load a webpage. I can now enable only the content I want to watch without being distracted by the periphery.

  2. Philip Le Riche

    July 1, 2015 at 3:50 pm #

    I've done this, but I get a Flash click-to-run prompt on video clips on the BBC News website. Yet these play just fine on my iPod Touch. Since Apple has eschewed Flash, this presumably means that the Beeb is offering both Flash and HTML5 versions, and I could still play them on my PC if I uninstalled Flash. But I might need it on other sites.

    Is there a way to tell my browser to prefer an HTML5 version if available and only give the click-to-run prompt if it's Flash or nothing? Or should we be lobbying the Beeb to preferentially offer HTML5?

  3. SteveP

    March 16, 2016 at 10:29 am #

    Must be that Chrome for OS-X is configured quite differently, as the screenshots provided bear no resemblance to my Chrome Settings screen. Version 49.0.2623.87 (64-bit)

  4. Sandy

    April 9, 2016 at 5:09 pm #

    Thanks for this info. I hate those awful start-on-page-opening ads and am so glad to know they can be stopped. In following these instructions, however, I found this statement on all my plugins:

    "Plugin Name" does not support the highest level of security for Safari plug-ins. Websites using this plug-in may be able to access your personal documents and data."

    What does that mean and how do I protect my privacy from them?

    Thanks, all.

Leave a Reply