All users were logged out of Bugzilla on October 13th, 2018

Google docs trigger Flash activation even though they don't use Flash

NEW
Unassigned

Status

()

P3
normal
2 years ago
2 years ago

People

(Reporter: benjamin, Unassigned)

Tracking

unspecified
Points:
---

Firefox Tracking Flags

(platform-rel -)

Details

(Whiteboard: [platform-rel-Google][platform-rel-GoogleDocs])

(Reporter)

Description

2 years ago
STR:
* Mark Flash as ask-to-activate in the addon manager
* Edit a google doc.

ACTUAL:
* The plugin icon is shown in the Firefox location bar.
* Opening the dialog shows: "Allow https://docs.google.com to run "Adobe Flash"? [Allow Now] [Allow and Remember]
* When I choose "Allow Now", the page reloads
* After the page finishes loading, the plugin icon shows in the location bar again, with the same "Allow...?" question

EXPECTED:
* Google docs doesn't use Flash. We shouldn't prompt users to enable it, and we definitely shouldn't end up in a UI loop where the UI is inaccurate but can't be dismissed.
(Reporter)

Updated

2 years ago
Priority: -- → P3
platform-rel: --- → ?
Whiteboard: [platform-rel-Google][platform-rel-GoogleDocs]

Updated

2 years ago
platform-rel: ? → -
I believe this is popping up due to this snippet of JS in Google:

    ...
    var a = window.navigator.plugins["Shockwave Flash"];
    ...

Hard to figure out exactly what it's trying to achieve due to the minification, but it seems to be in a block of code that's collecting versions of various things. Here's a nearby block that seems to be grabbing your browser info:

    _.cf = function() {
        if (_.rb) return bf(/Firefox\/([0-9.]+)/);
        if (_.B || _.Wa || _.Va) return _.mb;
        if (_.vb) return bf(/Chrome\/([0-9.]+)/);
        if (_.wb && !_.Ra()) return bf(/Version\/([0-9.]+)/);
        if (_.sb || _.tb) {
            var a = /Version\/(\S+).*Mobile\/(\S+)/.exec(_.Ma);
            if (a) return a[1] + "." + a[2]
        } else if (_.ub) return (a = bf(/Android\s+([0-9.]+)/)) ? a : bf(/Version\/([0-9.]+)/);
        return ""
    }();

Is this just trying to do some kind of analytics / fingerprinting? I can't seem to find the results of it in the network traffic, though it is similarly opaque. It definitely doesn't seem to be actually trying to use Flash. This seems to just be an unfortunate consequence of displaying the CTP notification when sites query for Flash by name, since that doesn't necessarily mean they want to do something meaningful to the user with the result. Thoughts?
Also of note though is that I'm unable to reproduce the UI loop. Clicking "Allow Now" once seems to resolve the issue. Is there something I'm missing or was part of this fixed as a consequence of an unrelated change?
Flags: needinfo?(benjamin)
Blocks: 1317856
(Reporter)

Comment 3

2 years ago
I can still see this, and I believe it may be the same cause as bug 1312091 where cross-origin subframes are still hiding Flash from navigator.plugins even when they shouldn't be.

This doesn't block click-to-play in general because it's caused by 1186948 which is nightly-only and probably not something we're going to ship.
No longer blocks: 1317856
Flags: needinfo?(benjamin)
You need to log in before you can comment on or make changes to this bug.