If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

implement NPAPI Advanced Key Handling spec

RESOLVED INCOMPLETE

Status

()

Core
Plug-ins
RESOLVED INCOMPLETE
9 years ago
6 months ago

People

(Reporter: Josh Aas, Unassigned)

Tracking

(Blocks: 4 bugs)

Trunk
Points:
---
Dependency tree / graph
Bug Flags:
wanted1.9.2 +

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

9 years ago
We should implement the NPAPI Advanced Key Handling spec (see URL field for link to spec).
Flags: wanted1.9.2+

Updated

8 years ago
Blocks: 490002

Updated

8 years ago
Blocks: 415988

Comment 1

7 years ago
I urge you to consider that there will be people writing malicious plugins to your new specification which will eat all keyboard input in an attempt to prevent user from even closing the browser once they hit the page while in the meantime they can do any nefarious thing they want to user's computer or data.

There should be some protected keys that can't be handled by a plugin just like you cannot handle Ctrl+Alt+Del in regular application.
(Reporter)

Comment 2

7 years ago
Igor - you expressed this same point in bug 78414. I already read it there, lets not drag that discussion into this bug.

I don't want to debate what the situation should be here, and some day this may change, but the reality is that plugins are trusted code and we don't restrict their behavior in part because ultimately we can't.

If an NPAPI plugin wants to do something malicious they can do a lot better than evilly manipulating with this API. They have the same privileges your browser does which means they can do things like install native event handlers to go around any attempt to stop them from consuming an event. It's a double-edged sword - plugins can do some bad things but their privilege level also allows them to do some good things like bring video input and output to the web many years ahead of when web standards will allow for it.

We block truly malicious plugins. Aside from that people should uninstall plugins with simply undesirable behavior.

Comment 3

6 years ago
Four questions:

1) This is marked as blocking bug 78414, yet is of lower priority?
2) It lacks keywords "help wanted" that the #78414 has - intentionally?
3) It is of status NEW - according to Bugzilla's help on statuses and resolution, this means no work has started, no one is assigned to - shouldn't this be ACCEPTED, since it is assigned to someone?
4) How far have works on implementation progressed (have they)?
(Reporter)

Updated

5 years ago
Assignee: joshmoz → nobody

Comment 4

6 months ago
Resolving old bugs which are likely not relevant any more, since NPAPI plugins are deprecated.
Status: NEW → RESOLVED
Last Resolved: 6 months ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.