Closed Bug 886856 Opened 11 years ago Closed 11 years ago

[regression] Click-to-play "Allow Now" does not effect temporally.

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: tetsuharu, Unassigned)

References

Details

(Keywords: regression) 

[env]
* http://hg.mozilla.org/mozilla-central/rev/bc569033125a

[step to reproduce]
0. turn on "plugins.click_to_play".
1. Open the page which contains plugins.
2. Try to activate plugins
3. Click "Allow Now".

[Result]
On all page which is opened after step.3, permitted plugins are activated on load.

[Expectation]
"Allow Now" only effect in the tab.
Blocks: 880735
Keywords: regression
The affect of "Allow Now" is intended to cover all pages on the current site for one hour, but the permission is renewed when the site uses the plugin. It ends when the browser exits.

Please verify that the actual behavior matches that specification.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
This is not a (coding) bug, but I still think it's a UI regression. The feature is called "click to play", but that's no longer what it is: Now it's more like "click twice to play always".

It used to be very easy to start a single plugin instance on a single page one single time: Click the placeholder. Now, the first click on a placeholder brings up a popup requiring another click. Then, if I only want the plugin to load once, I have to open the page permissions window and manually change the plugin options back to "always ask" or "use default".

If I don't do that, all future page loads from the same site will automatically start the plugin. If I wanted that, I wouldn't be using click to play. E.g. one thing I regularly do is open a gazillion YouTube tabs, but obviously I don't want them to play all at once. Click to play nicely prevented that (and Flashblock for ages before that). With the current behaviour, I get a cacophony of sounds playing all at once, plus high CPU load from all those videos playing in the background. I didn't test the one hour timeout, presumably it works as intended. But obviously it doesn't help me at all.

I don't really want to go back to Flashblock. It was a workable enough solution when it was the only one, but it certainly has its quirks and doesn't work well with all sites (or didn't when I last used it). As opposed to click to play, which I've never had any problems with.
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #1)
> The affect of "Allow Now" is intended to cover all pages on the current site
> for one hour, but the permission is renewed when the site uses the plugin.
> It ends when the browser exits.

If we try a new plugins, It may be good that the behavior which permits on all pages for one hour is useful.

However, from the viewpoint of security, this behavior has a problem. This model permits the non guard time for user. For example, user use plugin(A) which is very popular, is used on every site, and has some unfixed zero-day vulnerability. In this case, if user activate plugin(A) with "Allow now" on the clean page, this will not cause problem. But if user visits the next page injected some malware which attacks the vulnerability of plugin(A), there is no protection because plugin(A) is activated with "Allow Now". One hour is temporally time but it's very long time to encounter some attacked pages.

And from the viewpoint of usability, the current behavior is not good. How do user know about "Allow Now" continues for one hour? If user knows it continues for one hour, how do user track the end of one hour? User sometimes fall in their purpose with forgetting times. I think that we should provide *simple* way to activate it which is perform on very simple rule like "This button will be red if you click it".


> Please verify that the actual behavior matches that specification.

What is "that specification"?
(In reply to Tetsuharu OHZEKI [:saneyuki_s] from comment #3)
> What is "that specification"?

The one in 880735: http://people.mozilla.com/~lco/CtP/130415%20CtP%20design%20spec.pdf

The second comment even explicitly states that 'this change removes "click to play" functionality'. Oh well, I guess this is a lost cause then. I'll just stay on the last FF24 nightly.
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.