Confirmed users
197
edits
Opt-in activation for plugins: Difference between revisions
Jump to navigation
Jump to search
no edit summary
No edit summary |
No edit summary |
||
| Line 34: | Line 34: | ||
* Risk of clickjacking - is this something we should try to mitigate ? | * Risk of clickjacking - is this something we should try to mitigate ? | ||
* Whether to differentiate between an SSL site containing plugin content | * Whether to differentiate between an SSL site containing plugin content and an HTTP site containing plugin content. Trusting content served over HTTPS is not the same as trusting content over HTTP, which is why they are usually treated as separate origins for security purposes. For example, if a user goes to https://foo.com, encounters plugins which are click to play, and chooses some method of always enabling plugins for this site does that always enable for foo.com regardless of scheme or for https://foo.com and NOT http://foo.com ? | ||
|Feature overview=Out of date (and hence, likely vulnerable) plugins shouldn't be allowed to run without user interaction. | |Feature overview=Out of date (and hence, likely vulnerable) plugins shouldn't be allowed to run without user interaction. | ||
| Line 79: | Line 79: | ||
Warning the user of a newly installed plugin - this is part of another feature : https://wiki.mozilla.org/Features/Firefox/Improved_plugin_installation_and_management_experience | Warning the user of a newly installed plugin - this is part of another feature : https://wiki.mozilla.org/Features/Firefox/Improved_plugin_installation_and_management_experience | ||
|Feature functional spec=Phase 1: | |Feature functional spec=Phase 1: | ||
Users can turn on a preference to require click to play for all plugins globally | Users can turn on a preference to require click to play for all plugins globally | ||