I'm sometimes asked twice if I want to allow a plugin.

RESOLVED WONTFIX

Status

()

Core
Plug-ins
RESOLVED WONTFIX
3 years ago
3 years ago

People

(Reporter: Johan C, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
STR:
1. Install Adobe Flash.
2. Set Adobe Flash to "Ask to active".
3. http://www.techtimes.com/articles/15002/20140906/intel-core-m-chip-unveiled-say-hello-to-thin-fanless-hybrid-notebooks.htm
4. Click to allow Flash when prompted.

Actual result:
First the notification bar asks me:
> 'Allow www.techtimes.com" to run "Adobe Flash"?'
Upon pressing "Allow..." the "Site Identity" popup asks me the same question, this time offering "Allow Now" and "Allow and Remember".

Expected result:
Asking me once is enough, why is the notification bar necessary if the site identity popup is shown immediately after allowing the plugin?

Comment 1

3 years ago
This is by design. The notification bar is only shown if the in-content plugin is covered or too small to show the information directly. We want there always to be two clicks involved in activating the plugin, for various reasons including being able to show the full text and to avoid various clickjacking attacks.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WONTFIX
(Reporter)

Comment 2

3 years ago
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #1)
> This is by design. The notification bar is only shown if the in-content
> plugin is covered or too small to show the information directly. We want
> there always to be two clicks involved in activating the plugin, for various
> reasons including being able to show the full text and to avoid various
> clickjacking attacks.

The notification bar is easy to imitate and it looks like "PopupNotifications.jsm" was introduced to help fight this (see bug 252257 comment 31). Why is this not enough in this case? A popup notification is already being used, and it shows the full text.

This seems like an unnecessary amount of protection, something other browsers don't seem to have a need for. Chrome for example can be set up to allow for enabling plugins for a single object with one click on said object.

If this level of protection is deemed acceptable in other browsers, why not in Firefox? Is something blocking this from happening in Firefox, and if so what? Will sandboxing help? Can this be reconsidered in the future?
Flags: needinfo?(benjamin)

Comment 3

3 years ago
I really don't want to get into the full design in this bug... there's a bunch of historical context in firefox-dev: see among others https://groups.google.com/forum/#!topic/firefox-dev/SAULsr3rNsE

We don't want to interrupt the user with a popup notification. We need a solution so that there is some visual affordance for a hidden/small plugin.

FWIW, when I load http://www.techtimes.com/articles/15002/20140906/intel-core-m-chip-unveiled-say-hello-to-thin-fanless-hybrid-notebooks.htm I don't get the notification bar, because there are several ads on the page which are large enough to be clickable.
Flags: needinfo?(benjamin)
(Reporter)

Comment 4

3 years ago
> We don't want to interrupt the user with a popup notification. We need a
> solution so that there is some visual affordance for a hidden/small plugin.
I may have explained it poorly, but this is why I filed the bug. A popup notification does interrupt me immediately after I've clicked "Allow..." in the notification bar. The popup notification prompts me to ""Allow Now" and "Allow and Remember".

> FWIW, when I load
> http://www.techtimes.com/articles/15002/20140906/intel-core-m-chip-unveiled-
> say-hello-to-thin-fanless-hybrid-notebooks.htm I don't get the notification
> bar, because there are several ads on the page which are large enough to be
> clickable.
Interesting, I've mirrored my environment (addons and plugins) in a new profile and I can't reproduce this there. I'll investigate further.
(Reporter)

Comment 5

3 years ago
> > FWIW, when I load
> > http://www.techtimes.com/articles/15002/20140906/intel-core-m-chip-unveiled-
> > say-hello-to-thin-fanless-hybrid-notebooks.htm I don't get the notification
> > bar, because there are several ads on the page which are large enough to be
> > clickable.
> Interesting, I've mirrored my environment (addons and plugins) in a new
> profile and I can't reproduce this there. I'll investigate further.
I've tried a number of combinations of add-ons enabled and can only reproduce this intermittently on the new profile, after clearing all cookies for "techtimes.com". O_o
Adblock Plus is a suspect at the moment, but I can't prove anything.

Comment 6

3 years ago
> I may have explained it poorly, but this is why I filed the bug. A popup
> notification does interrupt me immediately after I've clicked "Allow..." in
> the notification bar. The popup notification prompts me to ""Allow Now" and
> "Allow and Remember".

Yes, but this isn't an interruption because you requested it. We don't want to throw up unrequested notifications, especially because one of the use cases we're most worried about is compromised ad networks.
(Reporter)

Comment 7

3 years ago
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #6)
> > I may have explained it poorly, but this is why I filed the bug. A popup
> > notification does interrupt me immediately after I've clicked "Allow..." in
> > the notification bar. The popup notification prompts me to ""Allow Now" and
> > "Allow and Remember".
> 
> Yes, but this isn't an interruption because you requested it. We don't want
> to throw up unrequested notifications, especially because one of the use
> cases we're most worried about is compromised ad networks.

Ah, my bad. Sorry for wasting your time on this.
You need to log in before you can comment on or make changes to this bug.