Hi All
I see five questions:
1. Has the browser used this plugin anytime in the past (hidden pluggin
install problem).
2. What should be the scope of the opt-in (per domain vs global)
3. Click to play or context menu
3.1 (options for context menu)
4. What do do on non-updated plugins when we know there is an update
5. What do do when there is a known vulnerability affecting the
installed plugin.
Here is my take:
1. Plugins must require user invervention to execute the first time they
are used (unlock the plugin?). After this happens
we use the 'regular' opt-in logic.
2. My paranoid persona says: lets do it per domain, but I do not know
how much would it affect users (how often we would
query the user about this) and the rest of the web. Maybe have a ux
setting? I think this needed for the case of known vulnerability but
no update ready yet.
3. I like context menus like no-script. I also like the following
options: only for this object, temporarily for this domain, always for
this domain,
revoke all temporary permissions. The meaning of 'temporary' could
probably be set as a preference.
4. I would put a warning on session initialisation, but keep all other
functionality the same (I would make the warning not so scary (a little
bit))
5.
Here are the dragons. Always:
a : Put a warning on session initialisation (or up to X hours
after known) that will tell the users about this and
that because of the vulnerability firefox will now temporarily
forget their permissions, with and that any changes to plugin opt-in
will be valid only for this session.
b. The context menu will not have the permanent solution. The
'temporarily allow' would only last for 5 minutes.
If there is an update that addresses the vulnerability
a. On the initial warning message put a button or a link on the
update AND a checkbox (unckecked) that
says "I know there is a update to this this issue that I have
not installed".
b. Show this warning again every X hours (I would say two hours).
Camilo
On 03/02/2012 04:27 PM, Lucas Adamski wrote:
Hi all,
We are actively working on opt-in activation for plugins, and have updated the
feature page listed here with our
thinking:https://wiki.mozilla.org/Opt-in_activation_for_plugins
This feature is intended to help with drive-by security issues and general
stability and resource consumption issues,
but cannot by itself mitigate all plugin security risks. As you can see there
are a number of open questions there,
especially in terms of desirable behavior in each of the use cases. I'd like to
discuss the pros and cons of each option
here, and then I'll update the feature page to reflect our discussions. Thanks!
Lucas.
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
