Status of click-to-play plugins in Firefox 24/26

The Wanderer wanderer at fastmail.fm
Wed Oct 30 14:04:23 UTC 2013


On 10/29/2013 07:22 PM, Benjamin Smedberg wrote:

> On 10/29/2013 6:44 PM, joakimsen wrote:
> 
>> In the addon manager would require the user to click. I'm talking
>> about a method to do this programmatically for many machines.
> 
> That's what the ctp-manager addon that I linked earlier does. You can
> generate an automated .xpi which whitelists certain plugin/domain
> combinations.

But he's already stated that this is not what he wants (needs?).

What he seems to be requesting is the ability to whitelist a certain
plugin for *all* domains, "programmatically" (or otherwise suitable for
transparent deployment), and preferably with a way to override the
"marked insecure" case. In other words, giving system administrators the
ability to override the decision of the Firefox developers in regard to
a particular plugin - or, put another way, to make the decision globally
for (or on behalf of) their users.

To be honest, as a somewhat mid-level sysadmin, I'd kind of like that
ability myself. Yes, e.g. Java may be dangerous to allow for some
domains, but I can't always predict what domains my users will need in
advance - and if it doesn't "just work" for my users on some new site
they now need, I'll be lucky if they even tell me about it (so that I
could add the new domain to the whitelist) rather than just switching to
another browser.

(I work in a college, with hundreds of different teachers who draw on
different sites for their lessons, not all of whom even read E-mail.
It's like pulling teeth to even get a list of what software we can
safely stop deploying because no one uses it; the odds of getting a good
list of domains which need whitelisting are slim, and the odds of being
notified in advance when a new domain will be needed are even slimmer.
Making things worse, we use mandatory profiles for our students, so any
"local workaround" manual whitelisting they might do would get lost when
the user logs out. This is a recipe for user backlash.)

To be clear, I'd love to be able to just whitelist known-needed domains
and leave the others for users to enable manually (or not), and for many
more-specialized plugins this likely would work - but that simply is not
practical in reality. If/when the general user population is used to the
idea of activating/whitelisting plugins at use time, this may change,
but I don't see that happening anything like immediately.

-- 
    The Wanderer

Warning: Simply because I argue an issue does not mean I agree with any
side of it.

Every time you let somebody set a limit they start moving it.
   - LiveJournal user antonia_tiger



More information about the firefox-dev mailing list