Currently the click-to-play code effectively makes all (or at least many) plugins in chrome documents use click-to-play. While discussing if this was the correct policy it was brought up if we should allow plugins in chrome documents at all. This is a bug to figure out which policy to use and implement that policy.
5 years ago
I don't think we should allow plugins in chrome at all. Not much to gain, terrible for performance, and adds to future support burdens.
Just to make sure I understand: Are "chrome documents" documents with "chrome:" URLs? If so, then allowing plugins in them could also be a security issue, and I'm inclined to agree with Josh.
We use a plugin in the main browser chrome window for our HttpWatch product (see http://www.httpwatch.com ). It allows the user interface to be integrated as a docked panel. I believe there are other products on the Windows platform that also use plugins to embed a Windows based UI into Firefox. If you removed the ability to host plugins in Chrome then it would make it more difficult for products like ours to work as well in Firefox as it does in Internet Explorer. We could avoid using a plugin if there was some sort of XUL element that allowed us to embed our own window (HWND based) into our extensions overlay file.
I'm inclined to say we should deprecate plugins in chrome and perhaps not even allow them to instantiate. It can only really be bad-to-terrible for performance (serious footgun), and I certainly wouldn't want to prioritize any work needed to support it. If people really need to use native code there is always ctypes.
(In reply to Josh Aas (Mozilla Corporation) from comment #4) And somehow I didn't realize I already wrote basically the same thing months ago in this same bug! Apologies.
I don't have a strong opinion, but it seems that addon authors are currently using plugins for various binary-interop uses and we have recommended that in the past because it is often easier/safer than ctypes. So I think that we probably should keep support for now. And plugins in chrome docs shouldn't be CTP.
Resolving old bugs which are likely not relevant any more, since NPAPI plugins are deprecated.