Closed Bug 1263630 Opened 4 years ago Closed 4 years ago

Remove all plugins (except Flash) from the click-to-activate whitelist

Categories

(Core :: Plug-ins, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox46 --- wontfix
firefox47 --- fixed
firefox48 --- fixed
relnote-firefox --- 47+

People

(Reporter: benjamin, Assigned: benjamin)

References

Details

(Keywords: dev-doc-complete, site-compat)

Attachments

(1 file)

The plugin click-to-activate whitelist has expired, and we will not be renewing it. This bug tracks remove all plugins except for Flash from the whitelist. This means that they will revert to the default click-to-activate behavior.
Comment on attachment 8740000 [details]
MozReview Request: Bujg 1263630 - Remove everything except Flash from the click-to-activate whitelist, r?jimm

https://reviewboard.mozilla.org/r/45481/#review42071

That's a lot of plugins, is product ok with this?
Attachment #8740000 - Flags: review?(jmathies) → review+
s/Bujg/Bug/ in commit message
I am functioning as plugins product manager for the time being. I've discussed this with Javaun, and I've also reached out to every plugin vendor who was on the whitelist.
Comment on attachment 8740000 [details]
MozReview Request: Bujg 1263630 - Remove everything except Flash from the click-to-activate whitelist, r?jimm

Approval Request Comment
[Feature/regressing bug #]: Removal of whitelist
[User impact if declined]: Increased exposure to plugin exploits and less data for us about which plugins are still being used in preparation for the end-of-2016 plugin deprecation plan.

[Describe test coverage new/current, TreeHerder]: straight pref removal: no additional tests done at this time
[Risks and why]: this could affect minorities of users who use these plugins, but they should be able to use manual activation still. Many of these plugins are no longer used/relevant.
[String/UUID change made/needed]: none
Attachment #8740000 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/b2bc8ace9ca2
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
I want this to bake in Nightly for a couple of days before uplifting to Aurora.
Comment on attachment 8740000 [details]
MozReview Request: Bujg 1263630 - Remove everything except Flash from the click-to-activate whitelist, r?jimm

Needed in preparation for plugin block experiment, baked on Nightly for a bit, Aurora47+
Attachment #8740000 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
This may also require a follow-up post on the Security Blog as well as a relnote bullet point to remind people about the NPAPI deprecation.
relnote-firefox: --- → ?
We should make this part of Firefox 47 release notes. Suggested wording: `The Firefox <a href="https://blog.mozilla.org/futurereleases/2013/09/24/plugin-activation-in-firefox/">click-to-activate plugin whitelist</a> has been removed.`

We do not plan on an additional blog post at this time.
Added to Fx47 beta release notes.
Benjamin pointed to me that it will be Fx 47 (as it was obvious from comment 14 :-(, so my bad).
Fixed
https://developer.mozilla.org/en-US/Firefox/Releases/47#Security
(and removed elsewhere)

Thanks for the good catch!
You need to log in before you can comment on or make changes to this bug.