Closed Bug 505806 Opened 15 years ago Closed 15 years ago

Add blocklist entries for SeaMonkey

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: Matti, Assigned: morgamic)

References

Details

Attachments

(1 file)

Yahoo Plugin
73.23 KB, application/octet-stream
Details
Attached file Yahoo Plugin 
The blocklisting of plugins doesn't work in Seamonkey trunk and 2.0b1, just read bug 505349


STR:
1) put the Yahoo plugin from the attachment in your plugins foldeer and do the same for Firefox
2) load Seamonkey and open about:plugins, you can see the plugin
3) open Tools/addon Manager/plugins and you can see the yahoo plugin enabled
4) do trhe same for Firefox and you can see that the yahoo plugin doesn't appear in about:plugins and the addon Manager warns you that the plugin is disabled
The blocklist.xml in my SM Profile is empty while the FF one contains all the information including the yahoo plugin.
Dave: Do you know if the Server sends different lists to different clients and SM just doesn't get a list of blocked Plugins ?
SeaMonkey should ship a default blocklist, but that's only one part of the puzzle, and probably even the smaller one.
The larger issue is that AMO doesn't send a useful blocklist to SeaMonkey clients, compare for example  https://addons.mozilla.org/blocklist/3/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/3.6a1pre/Firefox/20090722122453/Linux_x86-gcc3/en-US/default/2.10/// with https://addons.mozilla.org/blocklist/3/{92650c4d-4b8e-4d2a-b7eb-24ecf4f6b63a}/2.0b1/SeaMonkey/20090722122453/Linux_x86-gcc3/en-US/default/2.10/// (both URLs are made up to my best knowlege of how to replace the values in http://mxr.mozilla.org/comm-central/source/suite/browser/browser-prefs.js#428 (which is the same extensions.blocklist.url as in Firefox builds).
I believe it does, Mike is the best person to talk to about the server side.
Let's move this bug to AMO, as we send a quite incomplete blocklist to SeaMonkey clients from there, and the most pressing thing is to actually get a useful list out to users.
We probably should send the same blocklist to SeaMonkey users as to Firefox ones, as that only can cause us to block addons that wouldn't install/work in SeaMonkey in any case, i.e. we send a few useless bytes to SM users, but that's better than not blocking anything but two things that are on that list now.

I'll file a separate bug for installing a default blocklist, but it would be most logical to ship a copy of what AMO does send us, so we should wait on getting a good blocklist from there before integrating and shipping that one by default.
Component: General → Blocklisting
OS: Windows Server 2003 → All
Product: SeaMonkey → addons.mozilla.org
QA Contact: general → blocklisting
Hardware: x86 → All
Version: Trunk → unspecified
Nobody requests plugins to be blocked for SeaMonkey.  When someone says "block ____ on Firefox version ____ to ____" we don't automatically blocklist it for all apps unless explicitly told to do so.

So right now all you see are extensions without an app GUID (globally blocked).  If you can provide a list of what you want added for SeaMonkey we can make the necessary adjustments.
Blocks: 505832
Yes, most people who request anything typically forget that there's anything else out there which this could apply to. Plugins usually affect all Gecko browsers the same way, so usually they should be blocked on SeaMonkey and Firefox the same. I asked Matti if he could compose a list of what should be blocked for SeaMonkey and post that here.
Blocklisting works for SeaMonkey, so changing bug title.  What you need to do is examine the Firefox list and if all of those work for SeaMonkey we can add the SeaMonkey GUID to the blocklist database for those entries to they work for both applications.

Moving forward, someone from the SeaMonkey community should watch the blocklist component so we know if prospective entries should be carried over to SeaMonkey in addition to Firefox.  We could just say to make things blocklisted for Firefox blocklisted for SeaMonkey by default, but I'm not sure that's the right thing to do since something crashing Firefox doesn't necessarily crash SeaMonkey.  Maybe you know more than I do about the ratio there.

Re: comment #7 -- not sure if it's fair to play the victim here.  The main difference is that someone with a vested interest in Firefox watches the blocklist component and engages with those bugs to arrive at a decision (eventually).  If you can designate someone (or a small group) to watch the blocklist component moving forward we can work together to do what is necessary to keep it up to date for SeaMonkey.
Summary: Plugin blocklisting doesn't work in Seamonkey → Add blocklist entries for SeaMonkey
Please blocklist the plugins that are already blocked for Firefox :
Yahoo Application State Plugin, v1.0.0.5 and older
Apple QuickTime Plugin, v7.1.*

and I think we should also block the VLC plugin Version 0.9.8a or lower (see bug 470936) 

I will watch the blocklist component and notify you if something should be blocked for SM.
Cool - thanks Matti. :)
(In reply to comment #8)
> something crashing Firefox doesn't necessarily crash
> SeaMonkey.

When it comes to plugins, the crashes are Gecko stuff or other shared code in all cases I heard of, so with those we crash on the same things from all I know.
For extensions, that's different, of course, as those usually hook into non-shared code as well.

> Re: comment #7 -- not sure if it's fair to play the victim here.  The main
> difference is that someone with a vested interest in Firefox watches the
> blocklist component and engages with those bugs to arrive at a decision
> (eventually).

I know I overdid it a bit, but a number of people who actually would know that stuff affecting web-exposed Gecko (like plugins) would affect all apps, but they usually just think of the main Gecko consumer, which is Firefox (no malicious intent assumed, I also don't intend to rant, just to shed light on a fact caused by all of us being humans and thinking of what is most important to ourselves).

I hope with Matti watching the component we have a good solution to prevent those totally human oversights in the future.

Thanks a lot, Matti, for caring about this!
Yeah, I understand your point.  Only way we'll become more aware is if we talk about it, so I'm glad we are. :)
Assignee: nobody → morgamic
Michael Morgan: 
Can you please add the plugins that are already blocked for Firefox to the Seamonkey blocking list ?

Yahoo Application State Plugin, v1.0.0.5 and older
Apple QuickTime Plugin, v7.1.*

It would be great if we could close this bug before Beta2, thanks
I just discovered that the Firefox blocklist contains a new plugin, please add this to the list:

<match name="filename" exp="NPFFAddOn.dll"/>

from bug 512122, bug 512412 (security bug).
morgamic, can we please have something happen there? I'll do the patch for our Beta 2 blocker bug 505832 with the current blocklist, but it would be really nice to have a current one both on AMO and in the builds for SM 2.0 final.
I can do this today, I was moving last week.
morgamic, that would be great!

BTW, sorry if it looks like we would pressure you, but we're putting ourselves into pressure to deliver a final beta with a freeze this Tuesday night and a final in October and want to get things right with e.g. the blocklist.

All pluginItems from Firefox 3.5something can be just applied to SeaMonkey 2.0a1 and higher as well, as we're using the same Gecko and therefore the same plugin support there.

On the other hand, I don't think any addon that is currently blocked for FF needs to be blocked for SM, and that includes the two entries that are on the SM list right now. Matti might correct me on the latter though and find some add-ons that need to be blocked, but we probably can do that in a followup. The plugins are the important part for now.
Let me know if it looks good or if some changes need to be made.
Thanks Michael !
Status: RESOLVED → VERIFIED
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: