Closed Bug 1433577 Opened 3 years ago Closed 3 years ago

[Mac] Enable sandboxing for the Flash NPAPI plugin process on Nightly

Categories

(Core :: Security: Process Sandboxing, enhancement, P1)

60 Branch
Unspecified
macOS
enhancement

Tracking

()

RESOLVED FIXED
mozilla61
Tracking Status
firefox-esr52 --- unaffected
firefox58 --- unaffected
firefox59 --- unaffected
firefox60 --- wontfix
firefox61 --- fixed

People

(Reporter: haik, Assigned: haik, NeedInfo)

References

Details

Attachments

(2 files)

On Mac, Firefox runs the Flash plugin in a separate process. Specifically, the NPAPI version of Flash. This bug is to enable sandbox protections for the Flash plugin process. Sandboxing the plugin process may block some Flash functionality (for example, see bug 1429032 where Flash downloads and executes an installer), but given that Safari sandboxes NPAPI Flash by default it may be that only corner-case usage is affected. I expect we will have to provide an option (such as a pref) for users that depend on that functionality like Safari [1].

1. https://helpx.adobe.com/flash-player/kb/removing-sandbox-restrictions-your-safari.html
Assignee: nobody → haftandilian
Priority: -- → P1
See Also: → 1429032
Depends on: 1436566
It is likely we will want to allow a per-site opt-out of the sandbox for sites that depend on behavior that is blocked by the sandbox. The attached image is a mock-up of the UI for this. It requires the user to option-click or hold down the option key when choosing to allow the plugin to run.
Bug 1436566 landed the Flash sandbox disabled-by-default behind pref "security.sandbox.mac.flash.enabled". Read access to the home directory and /Volumes is blocked by the sandbox which prevents file pickers from working.

Known issues with the current implementation:
File dialogs for things like file uploads [1] are not usable.
Print to PDF or "Open in Preview" does not work.

1. Example: http://www.tinywebgallery.com/en/tfu/web_demo2.php
Comment on attachment 8951159 [details]
Proposed Flash Doorhanger Dialog for Unsafe Mode

Jeff, do you know who would be a good person to provide some feedback/help with the design of the Mac Flash sandbox opt-out. The attachment is my proposed UI. The Mac Flash sandbox is in development and just landed in a disabled state in 60.

For comparison, there's a link in the bug description for how this is done on Safari.
Attachment #8951159 - Flags: feedback?(jgriffiths)
Chris and Romain have been working on Flash issues most recently, and can arrange for UX review.
Flags: needinfo?(rtestard)
Flags: needinfo?(cpeterson)
Bram designed the Photon Flash click-to-activate UX (bug 1392979).

@ Bram, can you please review Haik's proposed UX for click-to-activating Flash content in a special mode that disables our plugin sandbox?

@ Hiak, do you know of specific Flash content that is broken by your Mac NPAPI sandbox (besides Adobe Air bug 1429032, which we WONTFIX'd)? I am wondering whether implementing this Mac UX is actually necessary, since we apparently haven't needed this feature for the Win64 NPAPI sandbox used by almost 70% of our Windows Firefox users.
Flags: needinfo?(haftandilian)
Flags: needinfo?(cpeterson)
Flags: needinfo?(bram)
Version: 58 Branch → 60 Branch
I propose making the UI text a bit longer but more verbose, like so:

Do you want to allow Adobe Flash to run on this site in unsafe mode? Under this mode, it will be able to access your personal documents and data.

Only allow Adobe Flash on sites you trust.


I copied Safari’s wording verbatim, knowing that personal data is what our users care about. There’s some stuff about Flash getting access to device resources, IPC channels and escalated networking privileges, but the doorhanger isn’t the place to explain this.

NI Jacqueline – our principal privacy and security designer – for review and guidance.
Flags: needinfo?(bram) → needinfo?(jsavory)
(In reply to Chris Peterson [:cpeterson] from comment #5)
> @ Haik, do you know of specific Flash content that is broken by your Mac
> NPAPI sandbox (besides Adobe Air bug 1429032, which we WONTFIX'd)? I am
> wondering whether implementing this Mac UX is actually necessary, since we
> apparently haven't needed this feature for the Win64 NPAPI sandbox used by
> almost 70% of our Windows Firefox users.

@cpeterson, it's not final, but with the pref'd off implementation in Nightly now, file uploads are going to be broken (see example in comment 2) because the file dialog does not work. File downloads are also going to be broken, but I personally don't remember seeing Flash ever do that. Softvision is currently testing this version and so far no other issues have been found. The file upload issue exists because we block read access to the home directory and other locations (as does Safari). Breaking file upload applets is the main concern I have which I think warrants the per-site opt-out. I am considering adding back read access so that file uploaders would work and welcome feedback on that. And I'm investigating ways to get the file dialog to work while still blocking read access.

Another reference point is that with Chrome's sandboxing of the PPAPI plugin, it offers a run-time prompt UI to allow these types of things on a per-site basis.

I wanted to ping you to ask about usage stats on the Mac. Mainly I'm wondering if we have any data about Mac Flash usage or specific functionality or domains (I don't expect we could collect domains). Do you know if we have any relevant stats?
Flags: needinfo?(haftandilian) → needinfo?(cpeterson)
(In reply to Bram Pitoyo [:bram] from comment #6)
> I propose making the UI text a bit longer but more verbose, like so:
> 
> Do you want to allow Adobe Flash to run on this site in unsafe mode? Under
> this mode, it will be able to access your personal documents and data.
> 
> Only allow Adobe Flash on sites you trust.
> 
> 
> I copied Safari’s wording verbatim, knowing that personal data is what our
> users care about. There’s some stuff about Flash getting access to device
> resources, IPC channels and escalated networking privileges, but the
> doorhanger isn’t the place to explain this.
> 
> NI Jacqueline – our principal privacy and security designer – for review and
> guidance.

@bram, thanks for the feedback. Any thoughts on the option-click way to trigger the UI? Specifically accessibility-wise.
Flags: needinfo?(bram)
Comment on attachment 8951159 [details]
Proposed Flash Doorhanger Dialog for Unsafe Mode

You need UX review for this.
Attachment #8951159 - Flags: feedback?(jgriffiths)
(In reply to Haik Aftandilian [:haik] from comment #8)
> @bram, thanks for the feedback. Any thoughts on the option-click way to
> trigger the UI? Specifically accessibility-wise.

This unfortunately won’t be discoverable – and to my best recollection, we have no other option-click trigger in the Firefox UI. We can still build the keyboard shortcut, but it should be well-documented for everyday users and not replace the permission UI.
Flags: needinfo?(bram)
(In reply to Haik Aftandilian [:haik] from comment #7)
> Softvision is currently testing this version and so far no other issues have
> been found. The file upload issue exists because we block read access to the
> home directory and other locations (as does Safari). Breaking file upload
> applets is the main concern I have which I think warrants the per-site
> opt-out. I am considering adding back read access so that file uploaders
> would work and welcome feedback on that. And I'm investigating ways to get
> the file dialog to work while still blocking read access.

That's a good point. File uploaders are an interesting use case that we will want to make work.
 
> I wanted to ping you to ask about usage stats on the Mac. Mainly I'm
> wondering if we have any data about Mac Flash usage or specific
> functionality or domains (I don't expect we could collect domains). Do you
> know if we have any relevant stats?

@ Romain, can you run a Re:dash query comparing Flash usage for Mac vs Windows? I assume that would be the plugins_notification_shown and plugins_notification_user_action main_summary probes.
Flags: needinfo?(cpeterson)
See Also: → 1444291
See Also: → 1446525
See Also: → 1447570
(In reply to Chris Peterson [:cpeterson] from comment #11)
> (In reply to Haik Aftandilian [:haik] from comment #7)
> > Softvision is currently testing this version and so far no other issues have
> > been found. The file upload issue exists because we block read access to the
> > home directory and other locations (as does Safari). Breaking file upload
> > applets is the main concern I have which I think warrants the per-site
> > opt-out. I am considering adding back read access so that file uploaders
> > would work and welcome feedback on that. And I'm investigating ways to get
> > the file dialog to work while still blocking read access.
> 
> That's a good point. File uploaders are an interesting use case that we will
> want to make work.
>  
Haik, where did things end-up on file uploader functionality?
> > I wanted to ping you to ask about usage stats on the Mac. Mainly I'm
> > wondering if we have any data about Mac Flash usage or specific
> > functionality or domains (I don't expect we could collect domains). Do you
> > know if we have any relevant stats?
> 
> @ Romain, can you run a Re:dash query comparing Flash usage for Mac vs
> Windows? I assume that would be the plugins_notification_shown and
> plugins_notification_user_action main_summary probes.
Apologies for the delay there, there were redash issues when I initially looked at it and then I forgot to progress.
Anyway I get it now: https://sql.telemetry.mozilla.org/queries/52165/source#table (Darwin) and https://sql.telemetry.mozilla.org/queries/52168/source (Windows_NT)
In a single day 0.2% of all mac users interact with the Flash C2A UI whereas 0.22% of Windows users interact (sample taken on Feb 1st).
Flags: needinfo?(rtestard)
(In reply to Romain Testard [:RT] from comment #12)
> (In reply to Chris Peterson [:cpeterson] from comment #11)
> > (In reply to Haik Aftandilian [:haik] from comment #7)
> > > Softvision is currently testing this version and so far no other issues have
> > > been found. The file upload issue exists because we block read access to the
> > > home directory and other locations (as does Safari). Breaking file upload
> > > applets is the main concern I have which I think warrants the per-site
> > > opt-out. I am considering adding back read access so that file uploaders
> > > would work and welcome feedback on that. And I'm investigating ways to get
> > > the file dialog to work while still blocking read access.
> > 
> > That's a good point. File uploaders are an interesting use case that we will
> > want to make work.
> >  
> Haik, where did things end-up on file uploader functionality?

We've added filesystem read access to the plugin process which allows file uploaders and file dialogs to work by default with the sandbox. This was mainly done 1) out of concern that users still using Flash might be dependent on this and be dissatisfied that it stopped working and 2) because with read-access disabled, file dialogs are displayed to the user in a broken/buggy state which is a pretty bad user experience. I'm hoping we can improve this and disable read access in the future.

> > > I wanted to ping you to ask about usage stats on the Mac. Mainly I'm
> > > wondering if we have any data about Mac Flash usage or specific
> > > functionality or domains (I don't expect we could collect domains). Do you
> > > know if we have any relevant stats?
> > 
> > @ Romain, can you run a Re:dash query comparing Flash usage for Mac vs
> > Windows? I assume that would be the plugins_notification_shown and
> > plugins_notification_user_action main_summary probes.
> Apologies for the delay there, there were redash issues when I initially
> looked at it and then I forgot to progress.
> Anyway I get it now:
> https://sql.telemetry.mozilla.org/queries/52165/source#table (Darwin) and
> https://sql.telemetry.mozilla.org/queries/52168/source (Windows_NT)
> In a single day 0.2% of all mac users interact with the Flash C2A UI whereas
> 0.22% of Windows users interact (sample taken on Feb 1st).

Thanks. Is it right to say that statistic doesn't include usage where a user uses Flash on a site they have already permanently allowed to use Flash? (Because the click-to-play UI won't be displayed each time.)
Flags: needinfo?(rtestard)
> Thanks. Is it right to say that statistic doesn't include usage where a user
> uses Flash on a site they have already permanently allowed to use Flash?
> (Because the click-to-play UI won't be displayed each time.)

True, this was only C2A UI engagement.
Regarding actual flash usage I just ran the queries:
- With os='Windows_NT' on a single day you get 5.84% of users active that day activating the flash plug-in (https://sql.telemetry.mozilla.org/queries/52223/source)
- With os='Darwin' on a single day you get 4.78% of users active that day activating the flash plug-in (https://sql.telemetry.mozilla.org/queries/52224/source)

For info the hardware report shows that 63% of all users have the flash plugin installed:https://hardware.metrics.mozilla.com/#goto-plugins.

Echoing Comment 5, if the Mac sandbox does not introduce new limitations (file uploads and dialogs are supported and downloads are not supported but said to not be used) when compared to Win64 (which has significantly more users) I wonder if we actually  need a new UX here?
Flags: needinfo?(rtestard)
(In reply to Romain Testard [:RT] from comment #14)
Thanks for the usage data.

> Echoing Comment 5, if the Mac sandbox does not introduce new limitations
> (file uploads and dialogs are supported and downloads are not supported but
> said to not be used) when compared to Win64 (which has significantly more
> users) I wonder if we actually  need a new UX here?

I agree the argument for adding the UX is weaker now that file uploaders should be usable. I'm still hesitant to introduce any breakage without a proper opt-out. Using an about:config as an opt-out workaround would disable the sandbox for all sites, not just for the ones the user needs. I'll discuss it with the team. We could defer the decision until after the sandbox has been enabled by default on Nightly and possibly Beta for a period of time.

Here's the list of things known to be prevented or broken by the sandbox right now.

 - Print to PDF from the Flash print dialog
 - Print to “Open in Preview” from the Flash print dialog
 - Quicklook in the File->Open dialog
 - Saving files to the filesystem from a Flash applet
 - Flash applets downloading and running the Adobe Air installer
 - Flash triggering Adobe Air applications to run
Summary: [Mac] Enable sandboxing for the Flash NPAPI plugin process → [Mac] Enable sandboxing for the Flash NPAPI plugin process on Nightly
To gather data and get feedback, we're going to enable the sandbox on Nightly without an opt-out UI.
See Also: → 1450715
Comment on attachment 8964310 [details]
Bug 1433577 - [Mac] Enable sandboxing for the Flash NPAPI plugin process on Nightly;

https://reviewboard.mozilla.org/r/233018/#review238494
Attachment #8964310 - Flags: review?(agaynor) → review+
Pushed by haftandilian@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e3b6cc3709cd
[Mac] Enable sandboxing for the Flash NPAPI plugin process on Nightly; r=Alex_Gaynor
https://hg.mozilla.org/mozilla-central/rev/e3b6cc3709cd
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Blocks: 1450715
See Also: → 1455141
See Also: → 1474375
See Also: 1474375
Blocks: 1455141
See Also: 1455141
See Also: → 1474375
Depends on: 1525625
You need to log in before you can comment on or make changes to this bug.