Jethro, I was thinking of 'automatically allow on the embedder domain' (ie do you trust the embedder or not) - but this is a good point. Personally, I think users would consider the first party domain the site serving the content - but I assume (hope) that most high profile sites that users have some sort of relationship with don't allow embedding plugin content from arbitrary domains.
I like Brad's suggestion - basically forwarding the click to the plugin since it shows user intent in this case. I think this feature is a great candidate for some user research in its early days as well, perhaps. thanks, ian ----- Original Message ----- From: "Brad Lassey" <blas...@mozilla.com> To: "Jet Villegas" <j...@mozilla.com> Cc: "Ian Melven" <imel...@mozilla.com>, mozilla-dev-secur...@lists.mozilla.org, "security-group group" <security-gr...@mozilla.org> Sent: Friday, April 6, 2012 4:20:48 PM Subject: Re: Opt-in activation for plugins (aka click to play) It seems like the logic could be similar to our pop up blocker. If the plugin is shown or created by a user action, we could play it by default. -Brad On 2012-04-06, at 7:18 PM, Jet Villegas wrote: > We're talking about multiple domains here: the container (eg. facebook.com) > and the content (eg. youtube.com, hulu.com, zynga.com etc.) I'm not sure if > we need to support fine-grained controls over both types of domains here, or > simply allow plug-in content to play back immediately when a click is > received on the container. We'll have to try different approaches here and go > with what makes the best sense. > > -- Jet > > ----- Original Message ----- > From: "Ian Melven" <imel...@mozilla.com> > To: "Jet Villegas" <j...@mozilla.com> > Cc: "security-group group" <security-gr...@mozilla.org>, > mozilla-dev-secur...@lists.mozilla.org > Sent: Friday, April 6, 2012 3:57:36 PM > Subject: Re: Opt-in activation for plugins (aka click to play) > > > > My opinion is that click to play absolutely should have an easy 'always allow > plugins to play on this domain' > option for the user for cases like this - this should be persisted unless the > user decides to explicitly > revoke it. Would that address your concern ? > > thanks, > ian > > > ----- Original Message ----- > From: "Jet Villegas" <j...@mozilla.com> > To: "Lucas Adamski" <ladam...@mozilla.com>, "Jared Wein" <jw...@mozilla.com> > Cc: "Asa Dotzler" <a...@mozilla.com>, "Kev Needham" <k...@mozilla.com>, > "security-group group" <security-gr...@mozilla.org>, "Madhava Enros" > <men...@mozilla.com>, "Stephen Horlander" <shorlan...@mozilla.com>, "Justin > Dolske" <jdol...@mozilla.com>, mozilla-dev-secur...@lists.mozilla.org > Sent: Friday, April 6, 2012 3:13:45 PM > Subject: Re: Opt-in activation for plugins (aka click to play) > > Sites like Facebook already have an image preview of their Flash links that > users already have to click to play. We may need some way to avoid requiring > multiple clicks to get at the plug-in content. > > -- Jet > > ----- Original Message ----- > From: "Lucas Adamski" <ladam...@mozilla.com> > To: "Jared Wein" <jw...@mozilla.com> > Cc: "Asa Dotzler" <a...@mozilla.com>, "Kev Needham" <k...@mozilla.com>, > "security-group group" <security-gr...@mozilla.org>, "Madhava Enros" > <men...@mozilla.com>, "Stephen Horlander" <shorlan...@mozilla.com>, "Justin > Dolske" <jdol...@mozilla.com>, mozilla-dev-secur...@lists.mozilla.org > Sent: Wednesday, April 4, 2012 2:16:08 PM > Subject: Re: Opt-in activation for plugins (aka click to play) > > On Apr 2, 2012, at 6:37 PM, Jared Wein wrote: > >> >>> >>> How would you implement a checkbox in a normal click-to-play >>> (in-content) experience? >>> >>> To be clear that's a 30 day sliding window from last time content was >>> played there. So if you visit a given site with plugin content (say >>> youtube.com) at least once every 30 days, you conceivably should not >>> see that prompt again unless you become vulnerable to a security >>> issue. >> >> We can put checkboxes in the plugin overlay, similar to what we have for >> crashed plugins. When the overlay is too small to use we can add secondary >> options in the doorhanger dropdown for users to choose to remember the >> settings. > > > Ah ok, makes sense. I'd love to get UX feedback here on these respective > proposals (implicit persistence of permission on a sliding time window vs > explicit checkbox in overlay). Thanks! > Lucas. > _______________________________________________ > Security-group mailing list > https://mail.mozilla.org/listinfo/security-group > _______________________________________________ > Security-group mailing list > https://mail.mozilla.org/listinfo/security-group > _______________________________________________ > Security-group mailing list > https://mail.mozilla.org/listinfo/security-group _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security