Closed
Bug 1474375
Opened 6 years ago
Closed 6 years ago
[Mac] Let Sandboxing for the Flash NPAPI plugin process ride the trains
Categories
(Core :: Security: Process Sandboxing, enhancement, P1)
Tracking
()
VERIFIED
FIXED
mozilla63
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox-esr60 | --- | unaffected |
| firefox61 | --- | disabled |
| firefox62 | + | verified |
| firefox63 | + | verified |
People
(Reporter: haik, Assigned: haik)
References
Details
(Keywords: feature)
Attachments
(1 file)
|
59 bytes,
text/x-review-board-request
|
Alex_Gaynor
:
review+
ritu
:
approval-mozilla-beta+
|
Details |
At present, the Mac Flash sandbox is enabled on Nightly and early builds of Beta using the macro EARLY_BETA_OR_EARLIER to selectively set dom.ipc.plugins.sandbox-level.flash in browser/app/profile/firefox.js. This bug is filed to let the Mac Flash sandbox ride the trains and release in build 62. The Flash sandbox has been enabled in Nightly starting with 61.
|
Assignee | |
Updated•6 years ago
|
|
||
Updated•6 years ago
|
status-firefox62:
--- → affected
|
||
Comment 1•6 years ago
|
||
[Tracking Requested - why for this release]: We want to ship the Mac Flash sandbox in 62, but we need to fix this foxsports.com video bug 1474375 (and an HBO Now video bug: https://github.com/webcompat/web-bugs/issues/17274) in Beta 62.
status-firefox61:
--- → disabled
status-firefox63:
--- → affected
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → unaffected
tracking-firefox62:
--- → ?
|
|
Assignee | |
Comment 3•6 years ago
|
||
The following functionality is prevented by the Flash sandbox. - Print to PDF from the Flash print dialog - Print to “Open in Preview” from the Flash print dialog - Quicklook in the File->Open dialog - Saving files to the filesystem from a Flash applet - Flash applets downloading and running the Adobe Air installer - Flash triggering Adobe Air applications to run
| Comment hidden (mozreview-request) |
|
|
||
Comment 5•6 years ago
|
||
(In reply to Haik Aftandilian [:haik] from comment #3) > The following functionality is prevented by the Flash sandbox. > > ... Does our Windows sandbox prevent the same Flash functionality? Or will these problems be unique to Firefox on Mac? We should relnote about the Mac sandbox, but a relnote is too short for all these details. Should we also publish a SUMO article? I don't know how common these Flash use cases are.
Flags: needinfo?(haftandilian)
|
|
Assignee | |
Updated•6 years ago
|
|
||
Comment 6•6 years ago
|
||
| mozreview-review | ||
Comment on attachment 8993065 [details] Bug 1474375 - [Mac] Let Sandboxing for the Flash NPAPI plugin process ride the trains https://reviewboard.mozilla.org/r/257878/#review265122
Attachment #8993065 -
Flags: review?(agaynor) → review+
| Comment hidden (mozreview-request) |
Pushed by haftandilian@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a58a497a7328 [Mac] Let Sandboxing for the Flash NPAPI plugin process ride the trains r=Alex_Gaynor
|
||
Comment 9•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/a58a497a7328
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
|
|
||
Comment 10•6 years ago
|
||
(In reply to Chris Peterson [:cpeterson] from comment #5) > (In reply to Haik Aftandilian [:haik] from comment #3) > > The following functionality is prevented by the Flash sandbox. > > > > ... > > Does our Windows sandbox prevent the same Flash functionality? Or will these > problems be unique to Firefox on Mac? Jim says the Flash functionality broken by the macOS sandbox is unique to macOS. > We should relnote about the Mac sandbox, but a relnote is too short for all > these details. Should we also publish a SUMO article? Jim recommends that we create a SUMO article about the macOS sandbox, how to disable it, and the list of known breakage. We can also give a heads up to the SUMO support team who respond to user problems on SUMO and social media.
Flags: needinfo?(haftandilian)
|
|
Assignee | |
Comment 11•6 years ago
|
||
(In reply to Chris Peterson [:cpeterson] from comment #10) > (In reply to Chris Peterson [:cpeterson] from comment #5) > > (In reply to Haik Aftandilian [:haik] from comment #3) > > > The following functionality is prevented by the Flash sandbox. > > > > > > ... > > > > Does our Windows sandbox prevent the same Flash functionality? Or will these > > problems be unique to Firefox on Mac? > > Jim says the Flash functionality broken by the macOS sandbox is unique to > macOS. Not completely. > - Print to PDF from the Flash print dialog I couldn't get this to work on Windows 10. This is using the Flash print dialog triggered via right-click on a Flash applet and selecting print. > - Print to “Open in Preview” from the Flash print dialog Mac-specific > - Quicklook in the File->Open dialog Mac-specific > - Saving files to the filesystem from a Flash applet Mac-specific. > - Flash applets downloading and running the Adobe Air installer > - Flash triggering Adobe Air applications to run Also occurs on Windows. See bug 1429032. > > We should relnote about the Mac sandbox, but a relnote is too short for all > > these details. Should we also publish a SUMO article? > > Jim recommends that we create a SUMO article about the macOS sandbox, how to > disable it, and the list of known breakage. We can also give a heads up to > the SUMO support team who respond to user problems on SUMO and social media. I'll work on this.
|
|
Assignee | |
Comment 12•6 years ago
|
||
I'l request uplift of this bug and the following dependencies after a few days of testing on Nightly. Bug 1475722 - Mac Flash sandbox causes empty file upload dialogs on OS X 10.9, 10.10 r=Alex_Gaynor Bug 1471977 - Mac Flash sandbox causing World Cup playback issues on foxsports.com r=Alex_Gaynor Bug 1475707 - Mac Flash sandbox on Nightly/Beta causes OS X 10.9 file upload dialog Flash plugin crash r=Alex_Gaynor
|
||
Updated•6 years ago
|
tracking-firefox63:
--- → +
|
|
Assignee | |
Comment 13•6 years ago
|
||
Comment on attachment 8993065 [details] Bug 1474375 - [Mac] Let Sandboxing for the Flash NPAPI plugin process ride the trains Approval Request Comment [Feature/Bug causing the regression]: This set of changes fixes some bugs with the current implementation of the Mac Flash sandbox which is a new feature that is only enabled on Nightly and early Beta builds. These changes turn on the Mac Flash sandbox in Beta 62 so it can ship with 62. The dependent bugs address file dialog crashes on OSX 10.9 and 10.10 and video streaming issues reported on foxsports.com and hbonow.com. [User impact if declined]: This feature improves the process isolation of the Mac Flash plugin process. The bugs being fixed here are only present in Nightly and early Beta builds. [Is this code covered by automated tests?]: No. [Has the fix been verified in Nightly?]: Yes. [Needs manual test from QE? If yes, steps to reproduce]: QE should validate that common Flash sites continue to work on the different Mac OS versions we support. [List of other uplifts needed for the feature/fix]: Bug 1475722 - Mac Flash sandbox causes empty file upload dialogs on OS X 10.9, 10.10 r=Alex_Gaynor Bug 1471977 - Mac Flash sandbox causing World Cup playback issues on foxsports.com r=Alex_Gaynor Bug 1475707 - Mac Flash sandbox on Nightly/Beta causes OS X 10.9 file upload dialog Flash plugin crash r=Alex_Gaynor [Is the change risky?]: Medium risk. [Why is the change risky/not risky?]: The Mac Flash sandbox was first enabled on Nightly on April 2nd and then on early beta builds of Beta61/62. It went through PI testing at that time. The changes don't make major changes, but most tests have been manual and the risk is that Flash sites could be regressed. The Mac Flash sandbox does prevent some lesser used Flash functionality from working (see the bug comments) and a SUMO article is planned to document that. SUMO bug to be filed. [String changes made/needed]: None
Attachment #8993065 -
Flags: approval-mozilla-beta?
Comment on attachment 8993065 [details] Bug 1474375 - [Mac] Let Sandboxing for the Flash NPAPI plugin process ride the trains Let's get this feature enabled and tested on beta62 for 2-3 weeks, Beta62+
Attachment #8993065 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Hey Liz, this is going to be enabled on Beta62 62.0b14 on wards. If we find blockers, stability issues, it makes sense to disable it again. We might also want to make the presence of the SUMO article (mentioned in comment 10) a release blocker for this feature.
Flags: needinfo?(lhenry)
|
||
Comment 16•6 years ago
|
||
| bugherder uplift | ||
https://hg.mozilla.org/releases/mozilla-beta/rev/44ca37781c49
|
||
Updated•6 years ago
|
Flags: qe-verify+
|
||
Comment 17•6 years ago
|
||
We've performed exploratory testing around common sites that use Flash player (https://facebook.com, https://www.miniclip.com/games/en/, http://ro.y8.com/ etc.) on Beta 62.0b14 (20180802174131) and latest Nightly 63.0a1 (2018-03-08). We did not encounter any new issues while testing on these websites, under Mac OS X 10.10 and 10.9.
Status: RESOLVED → VERIFIED
Flags: qe-verify+
|
||
Updated•6 years ago
|
Flags: needinfo?(lhenry)
You need to log in
before you can comment on or make changes to this bug.
Description
•