Closed
Bug 1263630
Opened 9 years ago
Closed 9 years ago
Remove all plugins (except Flash) from the click-to-activate whitelist
Categories
(Core Graveyard :: Plug-ins, defect)
Core Graveyard
Plug-ins
Tracking
(firefox46 wontfix, firefox47 fixed, firefox48 fixed, relnote-firefox 47+)
RESOLVED
FIXED
mozilla48
People
(Reporter: benjamin, Assigned: benjamin)
References
Details
(Keywords: dev-doc-complete, site-compat)
Attachments
(1 file)
58 bytes,
text/x-review-board-request
|
jimm
:
review+
ritu
:
approval-mozilla-aurora+
|
Details |
The plugin click-to-activate whitelist has expired, and we will not be renewing it. This bug tracks remove all plugins except for Flash from the whitelist. This means that they will revert to the default click-to-activate behavior.
Assignee | ||
Comment 1•9 years ago
|
||
Review commit: https://reviewboard.mozilla.org/r/45481/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/45481/
Attachment #8740000 -
Flags: review?(jmathies)
Comment 2•9 years ago
|
||
Comment on attachment 8740000 [details]
MozReview Request: Bujg 1263630 - Remove everything except Flash from the click-to-activate whitelist, r?jimm
https://reviewboard.mozilla.org/r/45481/#review42071
That's a lot of plugins, is product ok with this?
Attachment #8740000 -
Flags: review?(jmathies) → review+
Updated•9 years ago
|
Comment 3•9 years ago
|
||
s/Bujg/Bug/ in commit message
Assignee | ||
Comment 5•9 years ago
|
||
I am functioning as plugins product manager for the time being. I've discussed this with Javaun, and I've also reached out to every plugin vendor who was on the whitelist.
Assignee | ||
Comment 6•9 years ago
|
||
Comment on attachment 8740000 [details]
MozReview Request: Bujg 1263630 - Remove everything except Flash from the click-to-activate whitelist, r?jimm
Approval Request Comment
[Feature/regressing bug #]: Removal of whitelist
[User impact if declined]: Increased exposure to plugin exploits and less data for us about which plugins are still being used in preparation for the end-of-2016 plugin deprecation plan.
[Describe test coverage new/current, TreeHerder]: straight pref removal: no additional tests done at this time
[Risks and why]: this could affect minorities of users who use these plugins, but they should be able to use manual activation still. Many of these plugins are no longer used/relevant.
[String/UUID change made/needed]: none
Attachment #8740000 -
Flags: approval-mozilla-aurora?
Comment 7•9 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
I want this to bake in Nightly for a couple of days before uplifting to Aurora.
Comment on attachment 8740000 [details]
MozReview Request: Bujg 1263630 - Remove everything except Flash from the click-to-activate whitelist, r?jimm
Needed in preparation for plugin block experiment, baked on Nightly for a bit, Aurora47+
Attachment #8740000 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 10•9 years ago
|
||
bugherder uplift |
Comment 11•9 years ago
|
||
Posted the site compatibility doc. MDN may also need a doc.
https://www.fxsitecompat.com/en-CA/docs/2016/all-plug-ins-other-than-flash-are-now-defaulted-to-click-to-activate/
Keywords: dev-doc-needed,
site-compat
Comment 12•9 years ago
|
||
This may also require a follow-up post on the Security Blog as well as a relnote bullet point to remind people about the NPAPI deprecation.
relnote-firefox:
--- → ?
Assignee | ||
Comment 13•9 years ago
|
||
We should make this part of Firefox 47 release notes. Suggested wording: `The Firefox <a href="https://blog.mozilla.org/futurereleases/2013/09/24/plugin-activation-in-firefox/">click-to-activate plugin whitelist</a> has been removed.`
We do not plan on an additional blog post at this time.
Added to Fx47 beta release notes.
Comment 15•8 years ago
|
||
Updated:
https://developer.mozilla.org/en-US/Add-ons/Plugins/Site_Author_Guide_for_Click-To-Activate_Plugins
and
https://developer.mozilla.org/en-US/Firefox/Releases/49#Security
Keywords: dev-doc-needed → dev-doc-complete
Comment 16•8 years ago
|
||
Benjamin pointed to me that it will be Fx 47 (as it was obvious from comment 14 :-(, so my bad).
Fixed
https://developer.mozilla.org/en-US/Firefox/Releases/47#Security
(and removed elsewhere)
Thanks for the good catch!
Updated•3 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•