Status of click-to-play plugins in Firefox 24/26
joakimsen at gmail.com
Tue Oct 29 21:33:18 UTC 2013
One issue that's neglected is the ability to whitelist certain plugins. This is especially important e.g. for a system administrator in a large organization, especially if the latest Java version is going to be blocked. Currently it is possible to fully disable the blocklist, but this is too extreme! It needs to be possible to fully whitelist individual plugins.
Sent from my iPhone
> On Oct 29, 2013, at 3:34 PM, Benjamin Smedberg <benjamin at smedbergs.us> wrote:
> Please follow up to firefox-dev.
> Below is the current status of click-to-play plugins in Firefox.
> On the morning of Friday 18-October, we enabled a block which made all versions of Java click-to-activate with the insecure UI (bug 914690). This block broke some Java users. The breakage can be grouped into several general categories:
> * The plugin notification icon was not present in the location bar at all for some sites which use Java
> * The plugin notification icon was present in the location bar, but users didn't notice it
> * The plugin was visible on the page, but users didn't realize that they could click on it and didn't know what to do next
> This affected some important sites in certain markets:
> * many people in Norway who use the Norway BankID system which is currently Java-based.
> * a few other prominent banks in Europe, and perhaps a few others
> I don't have a good list of the affected sites, although I have been working with SUMO and feedback to try and get some better specific URLs. I am tracking the list at https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0Apbc4eh5_A9wdDRQUmE4UHNKSFFJYkQ5Yzd4VmF6V0E&usp=drive_web#gid=0
> The block for the most recent version of Java was disabled on Wednesday 23-October. The block for older versions of Java that have public security advisories is still in place.
> The issue where the plugin notification icon was not present at all is the most serious issue. There are apparently some common Java deployment scripts which create a Java instance, and if it does not activate, immediately remove it from the page. This caused our plugin doorhanger to cancel itself. With jaws' help, I have fixed this issue in bug 889788 which landed for Firefox 26 beta 1.
> This has not completely solved the problem. It turns out that there is another edge case where the plugin notification does not appear at all. This is now being tracked in bug 745187, and probably will not be hard to fix.
> I have been working with lco and madhav to figure out if there are changes that we can do to make the in-content UI look more clickable. The current suggestion is to at least make sure that the cursor changes to a hand pointer when over the UI, and to reorder and reword the UI for the vulnerable-plugin case. This is tracked as bug 932446.
> The final question is whether we need to make the hidden plugin case more discoverable. This was discussed at length a couple months ago. I still believe that the desired outcome is that we should not make hidden plugins discoverable, but I'm not sure whether we can actually pull that off in the market, especially with high-profile sites such as the Norway ID sites. Technically, exposing the doorhanger temporarily as in this mockup http://people.mozilla.org/~shorlander/files/click-to-play-prototype/clickToPlay-Mockup-03.html is fairly straightforward. We could also copy Chrome's UI and show a more permanent yellow notification bar. I am not sure how to make this decision. I need feedback from UI and product experts on the best option here. If we are going to uplift any UI change of this sort into Fx26 and not slip a release, it will need to be done soon so that we can get thorough testing in the beta cycle.
> firefox-dev mailing list
> firefox-dev at mozilla.org
More information about the firefox-dev