Closed Bug 832481 Opened 11 years ago Closed 11 years ago

Require blocklist-induced click-to-play activation from the doorhanger

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
mozilla22

People

(Reporter: johns, Assigned: keeler)

References

Details

(Keywords: sec-want)

Attachments

(1 file, 2 obsolete files)

patch v1.1
6.05 KB, patch
keeler
: review+
Details | Diff | Splinter Review 
CTP is not meant to be immune to link-jacking, but when used as a security feature the ease of tricking users into activating the plugin is concerning.

One idea I discussed with jaws was to have clicking the CTP frame simply show the doorhanger, so a click on browser chrome is required to confirm the activation of vulnerable plugins.
In doing so, we would need to change the verbiage on the overlay to say something along the lines of "Click for more information" instead of the text that says "Click here to activate the X plugin"
I like this idea for vulnerable plugins (I'm discussing the entire CTP issue with the security team right now). But just to be clear: this proposal is for known vulnerable plugins only, not all CTP plugins, right? Because I think it could be a potentially unwieldy user experience when we're not even sure there's a vulnerability.
Yes, I think that's correct.
Component: General → Plug-ins
Product: Firefox → Core
Keywords: sec-want
Blocks: 841304
Attached patch prototype (obsolete) — Splinter Review 
Here's a quick implementation of what this could look like.
Attached patch patch (obsolete) — Splinter Review 
It's my understanding that we're moving forward with this. Here's the change with a test.
Assignee: nobody → dkeeler
Attachment #722983 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #727424 - Flags: review?(jAwS)
Comment on attachment 727424 [details] [diff] [review]
patch

Review of attachment 727424 [details] [diff] [review]:
-----------------------------------------------------------------

::: browser/base/content/browser-plugins.js
@@ +475,5 @@
> +              objLoadingContent.pluginFallbackType !=
> +                Ci.nsIObjectLoadingContent.PLUGIN_VULNERABLE_NO_UPDATE)
> +            gPluginHandler.activateSinglePlugin(aEvent.target.ownerDocument.defaultView.top, aPlugin);
> +          else
> +            gPluginHandler._showClickToPlayNotification(browser, true);

Nit, please reorder the if/else to have the positive in the if case and fallback in the else. For example:

> if (pluginFallbackType == VULNERABLE_UPDATABLE ||
>     pluginFallbackType == VULNERABLE_NO_UPDATE)
>   showClickToPlayNotification();
> else
>   activateSinglePlugin();

I prefer this way as I believe it is more readable.
Attachment #727424 - Flags: review?(jAwS) → review+
Attached patch patch v1.1Splinter Review 
Thanks for the quick review!
Nit fixed - carrying over r+.
Try: https://tbpl.mozilla.org/?tree=Try&rev=dc1abe17bc9b
Attachment #727424 - Attachment is obsolete: true
Attachment #727782 - Flags: review+
Summary: Consider requiring blocklist-induced click-to-play require activation from the doorhanger → Require blocklist-induced click-to-play activation from the doorhanger
https://hg.mozilla.org/mozilla-central/rev/5477c7a2231a
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
IMO, this is extremely annoying.
Now clicking on "Activate" popup activates all instances of Flash from that page. Is it expected?
(In reply to Paul Silaghi [QA] from comment #12)
> Now clicking on "Activate" popup activates all instances of Flash from that
> page. Is it expected?

No. Was this actually triggered by this bug or some later change?
Actually "activate" button has always been doing this. Is just that before this you were able to activate flash instances one at a time by clicking on the plugin area.
Yes, it always did that. 
While i misread the patch and it doesn't try to change that, i'm not sure if we actually intended to activate all instances with this change as this means there is now no way to activate single instances of vulnerable plugins.
That was the intended change. We are going to stop exposing activation of single instances and leave that feature to addons.
Being unable to block the adds around my favorite game doesn't seem such a good idea to me.
Ad blocking is the not the problem we're trying to solve with this feature. Users who want ad blocking should install adblock.
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: