This works only for outdated Java versions that are known to be vulnerable (they're blacklisted by Mozilla version-by-version).

If you happen to have the newest Java version which hasn't been publicly announced as exploitable, it will not be blocked unless you enable `plugins.click_to_play` in `about:config`.

Anyway it's still a very good move from Mozilla side to minimize the risks.

That's too bad, I was hoping they had made all Java plugins "click to play" or whitelist only.

Firefox also has the feature that will block Flash and the other plugins if an update has been released, which is also good

IMO all browsers should implement 'click to run' by default for all plugins on all sites