Closed Bug 491141 Opened 12 years ago Closed 4 years ago

implement NPAPI Advanced Key Handling spec

Categories

(Core :: Plug-ins, defect)

defect
Not set
normal

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: jaas, Unassigned)

References

(Blocks 4 open bugs, )

Details

We should implement the NPAPI Advanced Key Handling spec (see URL field for link to spec).
Flags: wanted1.9.2+
Blocks: 490002
Blocks: 415988
I urge you to consider that there will be people writing malicious plugins to your new specification which will eat all keyboard input in an attempt to prevent user from even closing the browser once they hit the page while in the meantime they can do any nefarious thing they want to user's computer or data.

There should be some protected keys that can't be handled by a plugin just like you cannot handle Ctrl+Alt+Del in regular application.
Igor - you expressed this same point in bug 78414. I already read it there, lets not drag that discussion into this bug.

I don't want to debate what the situation should be here, and some day this may change, but the reality is that plugins are trusted code and we don't restrict their behavior in part because ultimately we can't.

If an NPAPI plugin wants to do something malicious they can do a lot better than evilly manipulating with this API. They have the same privileges your browser does which means they can do things like install native event handlers to go around any attempt to stop them from consuming an event. It's a double-edged sword - plugins can do some bad things but their privilege level also allows them to do some good things like bring video input and output to the web many years ahead of when web standards will allow for it.

We block truly malicious plugins. Aside from that people should uninstall plugins with simply undesirable behavior.
Four questions:

1) This is marked as blocking bug 78414, yet is of lower priority?
2) It lacks keywords "help wanted" that the #78414 has - intentionally?
3) It is of status NEW - according to Bugzilla's help on statuses and resolution, this means no work has started, no one is assigned to - shouldn't this be ACCEPTED, since it is assigned to someone?
4) How far have works on implementation progressed (have they)?
Assignee: joshmoz → nobody
Resolving old bugs which are likely not relevant any more, since NPAPI plugins are deprecated.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.