Closed Bug 987057 Opened 11 years ago Closed 10 years ago

Plugin Whiltelist Request: McAfee SiteAdvisor Enterprise

Categories

(Firefox Graveyard :: Plugin Click-To-Activate Whitelist, defect)

Product:
Firefox Graveyard
Component:
Plugin Click-To-Activate Whitelist
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
Firefox 32

People

(Reporter: bhageerathi_bai, Assigned: benjamin)

Details

(Whiteboard: application complete - accepted) 

<<Please supply the following information for new plugin whitelist requests>>

Plugin name: McAfee SiteAdvisor Enterprise
Vendor: McAfee Software Private Limited
Point of contact: DLEscalationsSiteAdvisorEnterprise@mcafee.com
Current version: 3.5.0
Download URL: Since this is Enterprise plugin, no download URL is available
Sample URL of plugin in use: Since this is Enterprise plugin, no sample URL of plugin is available. 

Plugin details:

<<For each affected operating system, please copy the plugin information from about:plugins in Firefox>>
    File: NPMcFFPlg.dll
    Path: C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\NPMcFFPlg.dll
    Version: 3.5.0
    State: Enabled
    SiteAdvisor

MIME Type            Description           Suffixes
application/mcafee-plugin

Are there any variations in the plugin file name, MIME types, description, or version from one release to the next?
No.

Are there any known security issues in current or older versions of the plugin?
No.

Transition plan: We have to evaluate and re-design SAE FF extension to use js-ctypes or some other approach to support multiple version of FireFox.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: application complete
Application accepted for this cycle. This debated whether to accept this: since this is not a plugin that provides general web functionality, it is not clear that this should be a plugin at all. Expect that we will not renew this whitelist request when it comes up for renewal in 4 months.
Whiteboard: application complete → application complete - accepted
Please let us know what detailed information is required here to treat this as a plugin.
I don't understand the question. This shouldn't be a plugin, but we're allowing it for now (4 months) to give you time to move away from a plugin.
This has landed in Nightly builds. Please download a nightly build from http://nightly.mozilla.org/. Using a fresh profile, verify that the plugin activates by default and shows as "Always Activate" in the Firefox addon manager. (Profile manager: https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles)
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(bhageerathi_bai)
Resolution: --- → FIXED
Target Milestone: --- → Firefox 32
I have checked with the nightly build 32.0 : SAE plugin activates by default on new profile and shows as "Always Activate".
Thanks.
Flags: needinfo?(bhageerathi_bai)
Excllent thank you.
Status: RESOLVED → VERIFIED
Had a query on the next version of SAE release where only "Version: 3.5.0" will be changed to "Version: 10.0.xxx" - Will this white listing hold good ?? please confirm
(In reply to bhageerathi_bai from comment #7)
> Had a query on the next version of SAE release where only "Version: 3.5.0"
> will be changed to "Version: 10.0.xxx" - Will this white listing hold good
> ?? please confirm

Yes, the whitelisting is based on the plugin filename.
Thanks Bejamin , Georg and FF team for helping us in white-listing process.
 
To answer Benjamin question in comment #3 and to request re-considerations of inclusion of plugin in next white listing cycle , I am putting little bit detail about "McAfee SiteAdvisor Enterprise" FF plugin work flow.

----------------------------------------------------------------------------------------------------

It's combination of extension and scriptable NPAPI plug-in.

Our overlay extension JavaScript interacts with Firefox tabbed browsing for URL navigation and file download events. JavaScript controls malicious URL navigation in Firefox tabbed browsing framework.
Overlay extension JavaScript also uses privileged JavaScript modules to listen file download events to control malicious file download.

To control the malicious file download and URL navigation we have to communicate with our product modules to get the rating of URL. To achieve this we have registered our NPAPI plug-in. NPAPI
plug-in talks back and forth with JavaScript to control malicious URL navigation and file download.

Initially we designed it as extension( with XPCOM as binary component ) and  we followed the all the recommendation suggestion on Firefox web pages but over the period maintaining XPCOM binary
Became overhead and because of  following limitations we choose to move way with XPCOM Binary component.
 
  * Binary XPCOM components must be recompiled for every new major release of Firefox
  * Unfrozen interfaces
  * For every new FF/old version support we have to download new Gecko SDK and compile our binary

----------------------------------------------------------------------------------------------------

 
Going forward we have plan to replace scriptable NPAPI binary with ctype binary. 
 
We would be glad to hear your suggestions if you feel there is scope for design improvement for Plug-in Vs Extension. We will definitely take care of your suggestions at time of moving to ctype binary

Thanks,
Rajendra
Note that if your plugin was bundled inside of the extension itself, for example (extensiondir/plugins/NPMcFFPlg.dll) it would be automatically activated by default and we wouldn't need the whitelist. That is because the user has already chosen to enable the addon, and so we don't need a separate choice to enable the plugin in that case.
Thanks Benjamin for quick response.
 
Plug-in DLL is placed under our product installation directory and same path is registered under KEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins registry hive.

Extension files are stored under <FF_INSTALL_DIR>\distribution\bundles\<EXTN_ID>

Will this deployment structure going to affects white listing scenario ?
Deploying to distribution/bundles is probably going to break in the future and is considered a harmful practice. I've filed bug 1025192 to figure out the correct way to deploy enterprise addons such as this.

But in terms of this bug, putting the plugin in <EXTN_ID>/plugins is better than using HKLLM\SOFTWARE\MozillaPlugins and should result in automatic activation. It does at least for normal addon installs; I'm not 100% certain about whether it works for distribution-bundles.
Thanks Benjamin for your valuable inputs.

Do you mean "<EXTN_ID>/plugins" = <FF_INSTALL_DIR>\distribution\bundles\<EXTN_ID>\plugins or something else ? 

I copied NPMcFFPlg.dll under <FF_INSTALL_DIR>\distribution\bundles\<EXTN_ID>\plugins and deleted plugin entry from HKLM\SOFTWARE\MozillaPlugins registry hive. After deleting all profiles and created new profile and it worked.

I think based on your suggestion we can change plug-in location to <EXTN_ID>\plugins for auto activation.

I will follow up on bug 1025192.
Product: Firefox → Firefox Graveyard
You need to log in before you can comment on or make changes to this bug.