Opt-in activation for plugins: Difference between revisions

Jump to navigation Jump to search

Opt-in activation for plugins (view source)

Revision as of 20:35, 16 April 2012

301 bytes removed ,  16 April 2012
no edit summary
No edit summary
No edit summary
Line 46: Line 46:
Chrome has implemented something similar: http://blog.chromium.org/2011/03/mini-newsletter-from-your-google-chrome.html
Chrome has implemented something similar: http://blog.chromium.org/2011/03/mini-newsletter-from-your-google-chrome.html
|Feature users and use cases=Use cases with '''proposed interactions below emphasized''':
|Feature users and use cases=Use cases with '''proposed interactions below emphasized''':
# User has an out of date plugin that is used on the site the user is visiting
# User has a plugin that mozilla has remotely required to be click to play because the plugin is out of date (implying an update has been released) :
#* '''User can run plugin after clicking to activate it'''
#* '''User can run plugin after clicking to activate it'''
# User has a plugin that mozilla has remotely required to be click to play because the plugin is being widely exploited, no update available
# User has a plugin that mozilla has remotely required to be click to play because the plugin is being widely exploited, no update available
Line 74: Line 74:
* Mitigate attacks where user interacts with site (clickjacking, or simply wants to run vulnerable plugin)
* Mitigate attacks where user interacts with site (clickjacking, or simply wants to run vulnerable plugin)
|Feature non-goals=We can't prevent users getting owned up by vulnerable plugins if they choose to activate a plugin on a site hosting malicious payloads. This is why driving plugin updates is important.
|Feature non-goals=We can't prevent users getting owned up by vulnerable plugins if they choose to activate a plugin on a site hosting malicious payloads. This is why driving plugin updates is important.
In the current proposal, we are not distinguishing between popular/unpopular plugins in terms of a default click to play session. Mozilla cannot maintain a list of every single plugin on the web and their current versions, but additionally attackers target the most widely deployed plugins. Improving plugincheck's knowledge of commonly used plugins is an ongoing goal.


Warning the user of a newly installed plugin - this is part of another feature : https://wiki.mozilla.org/Features/Firefox/Improved_plugin_installation_and_management_experience
Warning the user of a newly installed plugin - this is part of another feature : https://wiki.mozilla.org/Features/Firefox/Improved_plugin_installation_and_management_experience
|Feature functional spec=Phase 1:
|Feature functional spec=Phase 1:
Users can turn on a preference to require click to play for all plugins globally
Users can turn on a preference to require click to play for all plugins globally
Imelven
Confirmed users
197

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/420615"

Navigation menu