Closed Bug 755554 Opened 12 years ago Closed 12 years ago

Only enable flash within the desktop runtime, all other plugins should not be allowed to run

Categories

(Firefox Graveyard :: Webapp Runtime, enhancement, P1)

Product:
Firefox Graveyard
Component:
Webapp Runtime
Type:
enhancement

Tracking

(blocking-kilimanjaro:+, firefox16-)

Status:
VERIFIED FIXED
Milestone:
Firefox 16
Project Flags:
blocking-kilimanjaro +
Tracking Flags:
Tracking Status
firefox16 - ---

People

(Reporter: jsmith, Assigned: myk)

References

Details

(Keywords: dev-doc-needed, Whiteboard: [blocking-webrtdesktop1+], [qa!])

Attachments

(1 file)

patch v1: specifies allowed types
344 bytes, patch
Felipe
: review+
myk
: checkin+
Details | Diff | Splinter Review 
Configure the underlying gecko core within the desktop web runtime to only allow versions of flash to run within the desktop web runtime. All other plugins should not be allowed to run. Depends on the underlying core implementation in bug 755551.
Depends on: 755551
Component: Desktop Runtime → Webapp Runtime
Product: Web Apps → Firefox
blocking-kilimanjaro: --- → ?
blocking-kilimanjaro: ? → +
Priority: -- → P1
Whiteboard: [blocking-webrtdesktop1+]
Target Milestone: --- → Firefox 15
John: any chance you can tackle this plugin issue too?  It doesn't seem like there's a way for the runtime xulapp to do this; it seems like it would need support from the platform to make it happen.
I'm working on 755551 now, which I suspect will make this a simple pref change for webrt
Assignee: nobody → jschoenick
Blocks: 763783
Target Milestone: Firefox 15 → Firefox 16
John is going to look into this in the next week or two and it shouldn't be too involved.  A patch during the 16 cycle is likely.
tracking-firefox16: --- → ?
QA Contact: desktop-runtime → jsmith
Once the blocking bug is fixed, this is a simple pref change that I can make.
Assignee: jschoenick → myk
Status: NEW → ASSIGNED
A few things I noticed

Current versions of flash appear to claim both application/x-shockwave-flash (.swf) and application/futuresplash (.spl) which is a very legacy mimetype for flash, but I don't see harm in whitelisting both

Additionally, we need to make sure that the plugin finder service doesn't inject any messages for missing plugins that are not whitelisted, and decide if we even want it to offer to install flash in webrt contexts
This should be sufficient.  I'm not sure how to test it, though.  Is there an app that uses another plugin?  Or perhaps a simple way to embed content handled by another common plugin (like Quicktime or Java)?
(In reply to Myk Melez [:myk] [@mykmelez] from comment #6)
> Created attachment 641136 [details] [diff] [review]
> patch v1: specifies allowed types
> 
> This should be sufficient.  I'm not sure how to test it, though.  Is there
> an app that uses another plugin?  Or perhaps a simple way to embed content
> handled by another common plugin (like Quicktime or Java)?

Still digging for a specific app. For now, you could have your mykzilla app point to here - http://mainline.brynmawr.edu/Courses/cs110/spring2002/Applets/Examples.html and test that each java applet does not come up in the runtime. For testing a flash-based app, install the Mozilla QA WebRT Tester on apps.mozillalabs.com/appdir and see if you can view the swf files in firefox --> plugins --> flash.
Comment on attachment 641136 [details] [diff] [review]
patch v1: specifies allowed types

I'm having trouble cooking up an automated test for this, but I can confirm that it works in my manual testing.  I added a link to a page with Java applets to my Mykzilla test app:

http://mykzilla.org/app/

Click on the "Java applets" link, then click on an applet (f.e. the Smiley applet) with the Java plugin enabled on your computer.  When you do so in the browser, the Java applet runs, as it does in the runtime without this patch applied.  With this patch applied, however, the runtime displays the "missing plugin" icon with the message "A plugin is needed to display this content."


(In reply to John Schoenick [:johns] from comment #5)
> Additionally, we need to make sure that the plugin finder service doesn't
> inject any messages for missing plugins that are not whitelisted, and decide
> if we even want it to offer to install flash in webrt contexts

I'm not sure if it's the plugin finder service, but some code is injecting the "missing plugin" message.  It does not, however, offer to find the user an appropriate plugin.  The message could be better, but optimizing the message doesn't seem like a blocker, so let's deal with it in a followup bug.
Attachment #641136 - Flags: review?(felipc)
Attachment #641136 - Flags: review?(felipc) → review+
Whiteboard: [blocking-webrtdesktop1+] → [blocking-webrtdesktop1+], [qa+]
https://hg.mozilla.org/mozilla-central/rev/741b4ebd050f
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
What's the followup bug#? Displaying the missing plugin placeholder is definitely incorrect in this case: we should be displaying fallback content if there is any, and displaying nothing (probably treating the object as display:none) if there is no fallback content.
Blocks: 773685
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #11)
> What's the followup bug#? Displaying the missing plugin placeholder is
> definitely incorrect in this case: we should be displaying fallback content
> if there is any, and displaying nothing (probably treating the object as
> display:none) if there is no fallback content.

Indeed.  I filed followup bug 773685 on displaying the fallback content or nothing for unsupported plugins.
Flagging dev-doc-needed. I have a strong hunch we'll be asked this question for development of HTML 5 apps, so let's get this on MDN somewhere.
Keywords: dev-doc-needed
Verified on Win 7, OS X 10.7, Ubuntu 12.
Status: RESOLVED → VERIFIED
Whiteboard: [blocking-webrtdesktop1+], [qa+] → [blocking-webrtdesktop1+], [qa!]
Product: Firefox → Firefox Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: