(In reply to Tom Ritter [:tjr] from comment #6) > Harder to evaluate without permalinks in the first comment :) Oops. Sorry for lack of permalink. But yes, your analysis is correct here, this looks fixed to me. The issue of was the arbitrary permission string which is now replaced by selection from an allowlist in [PluginParent.jsm#540](https://searchfox.org/mozilla-central/rev/38c88cbf4be87dfa0636d15a5d3599a8ea0d1a72/browser/actors/PluginParent.jsm#540) * * link now containing 100% more perma. I originally just tested this by modifying the permission name in the Browser Toolbox. Its completely changed now so my PoC code obviously no longer works. But to verify i did confirm that we are only sending limited data from child to parent now. The parent only receives data like: ``` { "plugin": { "id": 0, "fallbackType": 8 }, "showNow": true } ``` For posterity, the original code should have permalinked in the first comment was [here](https://searchfox.org/mozilla-central/rev/68ac43af8f846949e46d80d62db1758344c36df6/browser/base/content/browser-plugins.js#46). IE the part where we take the permssion string from the msg.data object.
Bug 1562582 Comment 7 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
(In reply to Tom Ritter [:tjr] from comment #6) > Harder to evaluate without permalinks in the first comment :) Oops. Sorry for lack of permalink. But yes, your analysis is correct here, this looks fixed to me. The issue of was the arbitrary permission string which is now replaced by selection from an allowlist in [PluginParent.jsm#540](https://searchfox.org/mozilla-central/rev/38c88cbf4be87dfa0636d15a5d3599a8ea0d1a72/browser/actors/PluginParent.jsm#540) I originally just tested this by modifying the permission name in the Browser Toolbox. Its completely changed now so my PoC code obviously no longer works. But to verify i did confirm that we are only sending limited data from child to parent now. The parent only receives data like: ``` { "plugin": { "id": 0, "fallbackType": 8 }, "showNow": true } ``` For posterity, the original code should have permalinked in the first comment was [here](https://searchfox.org/mozilla-central/rev/68ac43af8f846949e46d80d62db1758344c36df6/browser/base/content/browser-plugins.js#46). IE the part where we take the permssion string from the msg.data object.