Confirmed users
197
edits
Opt-in activation for plugins: Difference between revisions
Jump to navigation
Jump to search
no edit summary
No edit summary |
No edit summary |
||
| Line 34: | Line 34: | ||
* Risk of clickjacking - is this something we should try to mitigate ? | * Risk of clickjacking - is this something we should try to mitigate ? | ||
* Whether to differentiate between an SSL site containing plugin content loaded over SSL and an HTTP site containing plugin content loaded over HTTP. Trusting content served over HTTPS is not the same as trusting content over HTTP, which is why they are usually treated as separate origins for security purposes. For example, if a user goes to https://foo.com, encounters plugins which are click to play, and chooses some method of always enabling plugins for | * Whether to differentiate between an SSL site containing plugin content loaded over SSL and an HTTP site containing plugin content loaded over HTTP. Trusting content served over HTTPS is not the same as trusting content over HTTP, which is why they are usually treated as separate origins for security purposes. For example, if a user goes to https://foo.com, encounters plugins which are click to play, and chooses some method of always enabling plugins for this site does that always enable for foo.com regardless of scheme or for https://foo.com and NOT http://foo.com ? | ||
this site does that always enable for foo.com regardless of scheme or for https://foo.com and NOT http://foo.com ? | |||
|Feature overview=Out of date (and hence, likely vulnerable) plugins shouldn't be allowed to run without user interaction. | |Feature overview=Out of date (and hence, likely vulnerable) plugins shouldn't be allowed to run without user interaction. | ||