Closed
Bug 832481
Opened 11 years ago
Closed 11 years ago
Require blocklist-induced click-to-play activation from the doorhanger
Categories
(Core Graveyard :: Plug-ins, defect)
Core Graveyard
Plug-ins
Tracking
(Not tracked)
RESOLVED
FIXED
mozilla22
People
(Reporter: johns, Assigned: keeler)
References
Details
(Keywords: sec-want)
Attachments
(1 file, 2 obsolete files)
6.05 KB,
patch
|
keeler
:
review+
|
Details | Diff | Splinter Review |
CTP is not meant to be immune to link-jacking, but when used as a security feature the ease of tricking users into activating the plugin is concerning. One idea I discussed with jaws was to have clicking the CTP frame simply show the doorhanger, so a click on browser chrome is required to confirm the activation of vulnerable plugins.
Comment 1•11 years ago
|
||
In doing so, we would need to change the verbiage on the overlay to say something along the lines of "Click for more information" instead of the text that says "Click here to activate the X plugin"
Comment 2•11 years ago
|
||
I like this idea for vulnerable plugins (I'm discussing the entire CTP issue with the security team right now). But just to be clear: this proposal is for known vulnerable plugins only, not all CTP plugins, right? Because I think it could be a potentially unwieldy user experience when we're not even sure there's a vulnerability.
Comment 3•11 years ago
|
||
Yes, I think that's correct.
Updated•11 years ago
|
Component: General → Plug-ins
Product: Firefox → Core
Assignee | ||
Comment 4•11 years ago
|
||
Here's a quick implementation of what this could look like.
Assignee | ||
Comment 5•11 years ago
|
||
It's my understanding that we're moving forward with this. Here's the change with a test.
Assignee: nobody → dkeeler
Attachment #722983 -
Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #727424 -
Flags: review?(jAwS)
Comment 6•11 years ago
|
||
Comment on attachment 727424 [details] [diff] [review] patch Review of attachment 727424 [details] [diff] [review]: ----------------------------------------------------------------- ::: browser/base/content/browser-plugins.js @@ +475,5 @@ > + objLoadingContent.pluginFallbackType != > + Ci.nsIObjectLoadingContent.PLUGIN_VULNERABLE_NO_UPDATE) > + gPluginHandler.activateSinglePlugin(aEvent.target.ownerDocument.defaultView.top, aPlugin); > + else > + gPluginHandler._showClickToPlayNotification(browser, true); Nit, please reorder the if/else to have the positive in the if case and fallback in the else. For example: > if (pluginFallbackType == VULNERABLE_UPDATABLE || > pluginFallbackType == VULNERABLE_NO_UPDATE) > showClickToPlayNotification(); > else > activateSinglePlugin(); I prefer this way as I believe it is more readable.
Attachment #727424 -
Flags: review?(jAwS) → review+
Assignee | ||
Comment 7•11 years ago
|
||
Thanks for the quick review! Nit fixed - carrying over r+. Try: https://tbpl.mozilla.org/?tree=Try&rev=dc1abe17bc9b
Attachment #727424 -
Attachment is obsolete: true
Attachment #727782 -
Flags: review+
Assignee | ||
Comment 8•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/5477c7a2231a
Updated•11 years ago
|
Summary: Consider requiring blocklist-induced click-to-play require activation from the doorhanger → Require blocklist-induced click-to-play activation from the doorhanger
Comment 9•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/5477c7a2231a
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
Comment 10•11 years ago
|
||
IMO, this is extremely annoying.
Comment 12•11 years ago
|
||
Now clicking on "Activate" popup activates all instances of Flash from that page. Is it expected?
Comment 13•11 years ago
|
||
(In reply to Paul Silaghi [QA] from comment #12) > Now clicking on "Activate" popup activates all instances of Flash from that > page. Is it expected? No. Was this actually triggered by this bug or some later change?
Comment 14•11 years ago
|
||
Actually "activate" button has always been doing this. Is just that before this you were able to activate flash instances one at a time by clicking on the plugin area.
Comment 15•11 years ago
|
||
Yes, it always did that. While i misread the patch and it doesn't try to change that, i'm not sure if we actually intended to activate all instances with this change as this means there is now no way to activate single instances of vulnerable plugins.
Comment 16•11 years ago
|
||
That was the intended change. We are going to stop exposing activation of single instances and leave that feature to addons.
Comment 17•11 years ago
|
||
Being unable to block the adds around my favorite game doesn't seem such a good idea to me.
Comment 18•11 years ago
|
||
Ad blocking is the not the problem we're trying to solve with this feature. Users who want ad blocking should install adblock.
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•