Status of click-to-play plugins in Firefox 24/26

Rob Whelan firefox at jtheory.com
Tue Nov 5 05:49:56 UTC 2013


Hello,
I've been lurking for most of this conversation, as I generally agree 
with the direction of it.  I have a few issues I'd like to hit/revisit, 
if possible, before everything wraps up:

## Example site ##
If you'd like another example site for testing, the basic drills on 
eMusicTheory.com are not blocked by a login; fairly fast-loading example 
here:
http://www.emusictheory.com/practice/rhythmDict.html
I get 30-40K unique visitors a month, so -- not at all huge, but enough 
that the Java debacle of the past year has been a horror for tech support.

## Java Deployment Toolkit ##
I currently use the Java Deployment Toolkit javascript & plugin, 
attempting to help users w/o Java and easily support multiple/old 
browsers -- this is currently broken by CtP (it's auto-blocked), but 
from what I understand this simple Java-version-check plugin does not 
execute Java and has not been vulnerable since Java 6 update 20:
http://kb.mozillazine.org/Java#Java_Deployment_Toolkit_plugin
Why is it still blocked?  There's a block request which I'm not 
authorized to view, so I don't even know the status of it:
https://bugzilla.mozilla.org/show_bug.cgi?id=636633 -- is it still valid 
for current versions of the plugin?

If there are still security issues, I suppose I'll need to scrape 
together my own JavaScript to fulfill the function of deploy.js without 
deploying the plugin to get Java version info, as querying Java version 
info before running the applet isn't worth the extra confusion CtP will 
force on the user... one plugin on the page is bad enough.  Is there any 
JavaScript only way for me to tell how recent their Java plugin version is?

I know of the Site Author Guide for CtP plugins; it's unfortunately only 
general guidance, so it's up to me to figure out what browsers will 
support 'application/x-java-applet' in navigator.mimeTypes, how to build 
the embed/object/applet tag, etc. -- there's no guidance on a real 
production implementation... as far as I know the code on that page has 
only been tested on recent Firefox, but I have to support IE7 and other 
rather different environments.

## Oracle warning vs. Browser warnings in-page ##
The drill itself is viewable on the page; it's an applet with a signed 
JAR explicitly given sandbox-only permissions (both in the applet params 
and in the JAR manifest), and using the "Codebase" manifest attribute to 
force the applet to be hosted on my domain; this is the current CERT.org 
recommendation for deploying applets (based partly on my conversations 
with them):
http://www.cert.org/blogs/certcc/2013/09/signed_java_applet_security_im.html 


So the warnings from Oracle are relatively friendly (I'm jumping through 
all available hoops, including the expensive ones!), but the in-page 
applet UI in Firefox is currently pretty poor -- it's not obviously 
clickable, it's aggressively off-putting (and there's no way I can 
mitigate this, unlike with the Oracle signing/etc.), there's no 
invitation to approve/deny, etc..  I know there's a bug logged for this 
-- are there mockups or anything similar available yet?

This is currently my main concern for my students' experience... I have 
to either show a walk-through explaining how to say "yes" to 
scary-looking security warnings -- which just feels wrong to me, and 
*should* raise serious red flags, for them -- or Firefox needs some way 
to coordinate applet security checks with the plugin, so that all of the 
work I've done to make my drills safe can be apparent to my users.

Kind regards,
Rob Whelan



More information about the firefox-dev mailing list