Closed Bug 1263630 Opened 8 years ago Closed 8 years ago

Remove all plugins (except Flash) from the click-to-activate whitelist

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox46 wontfix, firefox47 fixed, firefox48 fixed, relnote-firefox 47+)

Status:
RESOLVED FIXED
Milestone:
mozilla48
Tracking Flags:
Tracking Status
firefox46 --- wontfix
firefox47 --- fixed
firefox48 --- fixed
relnote-firefox --- 47+

People

(Reporter: benjamin, Assigned: benjamin)

References

Details

(Keywords: dev-doc-complete, site-compat)

Attachments

(1 file)

MozReview Request: Bujg 1263630 - Remove everything except Flash from the click-to-activate whitelist, r?jimm
58 bytes, text/x-review-board-request
jimm
: review+
ritu
: approval-mozilla-aurora+
Details 
The plugin click-to-activate whitelist has expired, and we will not be renewing it. This bug tracks remove all plugins except for Flash from the whitelist. This means that they will revert to the default click-to-activate behavior.
Comment on attachment 8740000 [details]
MozReview Request: Bujg 1263630 - Remove everything except Flash from the click-to-activate whitelist, r?jimm

https://reviewboard.mozilla.org/r/45481/#review42071

That's a lot of plugins, is product ok with this?
Attachment #8740000 - Flags: review?(jmathies) → review+
s/Bujg/Bug/ in commit message
I am functioning as plugins product manager for the time being. I've discussed this with Javaun, and I've also reached out to every plugin vendor who was on the whitelist.
Comment on attachment 8740000 [details]
MozReview Request: Bujg 1263630 - Remove everything except Flash from the click-to-activate whitelist, r?jimm

Approval Request Comment
[Feature/regressing bug #]: Removal of whitelist
[User impact if declined]: Increased exposure to plugin exploits and less data for us about which plugins are still being used in preparation for the end-of-2016 plugin deprecation plan.

[Describe test coverage new/current, TreeHerder]: straight pref removal: no additional tests done at this time
[Risks and why]: this could affect minorities of users who use these plugins, but they should be able to use manual activation still. Many of these plugins are no longer used/relevant.
[String/UUID change made/needed]: none
Attachment #8740000 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/b2bc8ace9ca2
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox48: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
I want this to bake in Nightly for a couple of days before uplifting to Aurora.
Comment on attachment 8740000 [details]
MozReview Request: Bujg 1263630 - Remove everything except Flash from the click-to-activate whitelist, r?jimm

Needed in preparation for plugin block experiment, baked on Nightly for a bit, Aurora47+
Attachment #8740000 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
This may also require a follow-up post on the Security Blog as well as a relnote bullet point to remind people about the NPAPI deprecation.
relnote-firefox: --- → ?
We should make this part of Firefox 47 release notes. Suggested wording: `The Firefox <a href="https://blog.mozilla.org/futurereleases/2013/09/24/plugin-activation-in-firefox/">click-to-activate plugin whitelist</a> has been removed.`

We do not plan on an additional blog post at this time.
Benjamin pointed to me that it will be Fx 47 (as it was obvious from comment 14 :-(, so my bad).
Fixed
https://developer.mozilla.org/en-US/Firefox/Releases/47#Security
(and removed elsewhere)

Thanks for the good catch!
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: