Doug Turner wrote: > Considering this, maybe it is time to not just click-to-play, but > require users to go to some menu item (maybe "View / Enable Legacy > Mode") to enabled Java, and other less useful and typically more > vulnerable, NPAPI plugins. Just a thought.
I have a problem with the classification "less usefull an typically more vulnerable". There is an obvious first level distinction: turing complete controlls like java and flash will always be more vulnerable. They are also prime candidate for Ben's slogan "make it possible to surf the web without plugins" (sorry if I might have rephrased that badly from memory). Other plugins may be less popular, less good screened (in some cases), but also less interesting as an attack vector but still offer high value to certain users. They are not always easy to replace with plugin-less techniques. They usually will not cause much wrong blame for Firefox, as their users will typically recognize them and know which hotline to call if something crashes. (At least I'm pretty sure noone ever attributed a crash in my 3D plugin to firefox) Martin _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
