Security Review Click to Play Plugins

VERIFIED FIXED

Status

mozilla.org
Security Assurance: Review Request
P3
blocker
VERIFIED FIXED
6 years ago
6 years ago

People

(Reporter: curtisk, Assigned: curtisk)

Tracking

Details

(Whiteboard: [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd][score:52::Medium], URL)

Who is/are the point of contact(s) for this review?
    
Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.):
    
Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description:
    
Does this request block another bug? If so, please indicate the bug number This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?

Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.)

Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users?

Are there any portions of the project that interact with 3rd party services?

Will your application/service collect user data? If so, please describe 

If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size):

Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite.
Repeating an earlier comment I was told to bring up in sec-review:
At present, the permission is just "plug-ins enabled" as opposed to "plug-in Foo enabled". I think plug-ins should be enabled on a per plug-in type basis. It's relatively rare for a site to use multiple different plug-ins, so the case where a user wants to enable e.g. both Flash and Java for a site should be rare. However, if a site has managed to bait me into enabling Flash for the site in order to watch a video, I don't want Java-based exploit kits that someone has dropped on the site to activate, too.
(In reply to Henri Sivonen (:hsivonen) from comment #1)
> I think plug-ins should be enabled on a per plug-in type basis.

Indeed - we have bug 746374 for this.

Updated

6 years ago
Duplicate of this bug: 748947
assigning to :jaws as he is current owner of blocked bug
Assignee: curtisk → jaws
:jaws - We need more info to triage and assign this bug
Severity: normal → blocker
Priority: -- → P5
Whiteboard: [pending secreview][needs info]
(In reply to Curtis Koenig [:curtisk] from comment #0)
> Who is/are the point of contact(s) for this review?

Myself and David Keeler

> Please provide a short description of the feature / application (e.g.
> problem solved, use cases, etc.):

The feature, when enabled, blocks the loading of plugins until the user has chosen to activate the plugins on the page.

> Please provide links to additional information (e.g. feature page, wiki) if
> available and not yet included in feature description:

https://wiki.mozilla.org/Opt-in_activation_of_plugins_%28click_to_play_plugins%29

> Does this request block another bug? If so, please indicate the bug number
> This review will be scheduled amongst other requested reviews. What is the
> urgency or needed completion date of this review?

This feature is needed for our new plugin softblocking mechanism.

> Please answer the following few questions: (Note: If you are asked to
> describe anything, 1-2 sentences shall suffice.)
> Does this feature or code change affect Firefox, Thunderbird or any product
> or service the Mozilla ships to end users?

Firefox

> Are there any portions of the project that interact with 3rd party services?

Not directly, but the plugin softblocking code will interact with our blocklist API.

> Will your application/service collect user data? If so, please describe 

If users want to "Always activate" plugins for a site, then their preference will be remembered locally. This uses our standard permissions storage system, that is used for geolocation and cookie permissions.
Assignee: jaws → nobody
Whiteboard: [pending secreview][needs info] → [pending secreview][triage needed]
I will get this scheduled as soon as possible
Assignee: nobody → curtisk
Status: NEW → ASSIGNED
Risk/Priority Ranking Exercise https://wiki.mozilla.org/Security/RiskRatings

Priority: 3 (P3) - Overall Mozilla Quarterly Goal

Operational: 0 - N/A
User: 5 - Blocker
Privacy: 0 - N/A
Engineering: 3 - Major
Reputational: 5 - Blocker

Priority Score: 52
Priority: P5 → P3
Whiteboard: [pending secreview][triage needed] → [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd][score:52::Medium]
:jaws - can you take a look at the sec-review calendar and let me know a date/time that works for you?
https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html

This should be pretty straight forward and we just need to get it on the schedule.
Flags: needinfo?(jaws)
Due Date: 2012-10-31
Friday, October 19th at 10:00 AM works good for me.
Flags: needinfo?(jaws)
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.