Inform user when 3rd party software installs plugin Topic is solved
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.
This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.
Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.
This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.
Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
- wannabegeek101
- Hobby Astronomer
- Posts: 22
- Joined: 2021-07-17, 06:29
Inform user when 3rd party software installs plugin
I hope this isn't off-topic, but can I please submit a feature request for pale moon to inform the user when 3rd party software on the user's computer installs an NPAPI plugin, as it is a potential security risk, especially given, correct me if I'm wrong, but my amateur guess is that these plugins could be long-past end-of-life and left over from the era when NPAPI plugins existed?
Re: Inform user when 3rd party software installs plugin
There will be no change in how plugins are handled. Except in the future NPAPI may be wholey pref disabled by default (but never removed.. ever.. I won't allow it).
Two reasons why:
One is that as Linux systems start removing GTK2 completely as it is long end of life the dependancy on GTK2 for GTK3 builds will have to be broken. The side effect is that old plugins compiled against GTK2 will not run in GTK3 builds nor will GTK3 builds be able to be compiled or run correctly on systems without GTK2.
The second issue is across the board as plugins age out of usefulness or fitness they have become increasingly an edge case as a whole. We love NPAPI and would love to see new ones pop up or non-flash/java continue on but the reality is that with the draconian tech elite against any choice by the user prevailing that seems increasingly unlikely. Still there will always be the case where the user MUST have plugin capabilities despite the risks and whatnot so removing NPAPI just can never be an option for us but an explicit choice the user has to make to use them is a reasonable compromise.
In the event the winds of fate blow the other way then the default setting for a pref can always be re-evaluated. Besides, removing NPAPI would literally be more work than it is worth. Not to Mozilla cause they get off on it but for us why expend the effort when there is plenty of failed junk from the past decade that is far more important to get rid of than something that users actually care about?
Two reasons why:
One is that as Linux systems start removing GTK2 completely as it is long end of life the dependancy on GTK2 for GTK3 builds will have to be broken. The side effect is that old plugins compiled against GTK2 will not run in GTK3 builds nor will GTK3 builds be able to be compiled or run correctly on systems without GTK2.
The second issue is across the board as plugins age out of usefulness or fitness they have become increasingly an edge case as a whole. We love NPAPI and would love to see new ones pop up or non-flash/java continue on but the reality is that with the draconian tech elite against any choice by the user prevailing that seems increasingly unlikely. Still there will always be the case where the user MUST have plugin capabilities despite the risks and whatnot so removing NPAPI just can never be an option for us but an explicit choice the user has to make to use them is a reasonable compromise.
In the event the winds of fate blow the other way then the default setting for a pref can always be re-evaluated. Besides, removing NPAPI would literally be more work than it is worth. Not to Mozilla cause they get off on it but for us why expend the effort when there is plenty of failed junk from the past decade that is far more important to get rid of than something that users actually care about?
Last edited by New Tobin Paradigm on 2021-07-18, 10:42, edited 3 times in total.
- wannabegeek101
- Hobby Astronomer
- Posts: 22
- Joined: 2021-07-17, 06:29
Re: Inform user when 3rd party software installs plugin
What do you mean? Are you saying that this feature request will not be acted upon, or have you misunderstood my question/"amateur guess"?
Re: Inform user when 3rd party software installs plugin
I said precisely what I meant. Please re-read it.
Re: Inform user when 3rd party software installs plugin
Almost all plugins are system-installed. They aren't installed "in the browser"; the browser just picks them up from the system.
It is and has always been the user's responsibility to know what they install on their system that might include NPAPI plugins, and the browser isn't supposed to be a gatekeeper for it.
So: if you install software, make sure you know if it comes with a plugin or not, and/or check your plugins section after installation if you're not sure to set them up as intended (or flat-out disable them there if you don't want the browser to ever load or use them)
As Tobin said: we won't be changing how this is handled - we've done it this way since the start and won't be changing it just because some people decided they wanted to push inferior or more complex (and uncontrollable) in-browser solutions that are "always on".
It is and has always been the user's responsibility to know what they install on their system that might include NPAPI plugins, and the browser isn't supposed to be a gatekeeper for it.
So: if you install software, make sure you know if it comes with a plugin or not, and/or check your plugins section after installation if you're not sure to set them up as intended (or flat-out disable them there if you don't want the browser to ever load or use them)
As Tobin said: we won't be changing how this is handled - we've done it this way since the start and won't be changing it just because some people decided they wanted to push inferior or more complex (and uncontrollable) in-browser solutions that are "always on".
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
- wannabegeek101
- Hobby Astronomer
- Posts: 22
- Joined: 2021-07-17, 06:29
Re: Inform user when 3rd party software installs plugin
Apologies, only the first sentence of your reply appeared last time I read it (must've been a glitch). I will reread it now
- wannabegeek101
- Hobby Astronomer
- Posts: 22
- Joined: 2021-07-17, 06:29
Re: Inform user when 3rd party software installs plugin
Based on both Tobin and Moonchild's replies, I will be closing this issue (if I can figure out how)
EDIT: I can't figure out how to close the issue. Doesn't matter
EDIT: I can't figure out how to close the issue. Doesn't matter
Last edited by wannabegeek101 on 2021-07-18, 11:10, edited 1 time in total.
Re: Inform user when 3rd party software installs plugin
This is a forum not an issue tracker. Though currently the forum acts as a gatekeeper to keep irrelevant issue noise from cluttering up our actual issue trackers.
- wannabegeek101
- Hobby Astronomer
- Posts: 22
- Joined: 2021-07-17, 06:29
Re: Inform user when 3rd party software installs plugin
In future, do feature requests go on the forum or issue tracker?New Tobin Paradigm wrote: ↑2021-07-18, 11:09This is a forum not an issue tracker. Though currently the forum acts as a gatekeeper to keep irrelevant issue noise from cluttering up our actual issue trackers.
Re: Inform user when 3rd party software installs plugin
Comprehensive reading seems to be a bit of a problem, here.
What does that tell you? it tells you that your first point of contact should be the forum so our issue trackers remain focused on development.currently the forum acts as a gatekeeper to keep irrelevant issue noise from cluttering up our actual issue trackers.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
- wannabegeek101
- Hobby Astronomer
- Posts: 22
- Joined: 2021-07-17, 06:29
Re: Inform user when 3rd party software installs plugin
OkayMoonchild wrote: ↑2021-07-18, 11:18Comprehensive reading seems to be a bit of a problem, here.What does that tell you? it tells you that your first point of contact should be the forum so our issue trackers remain focused on development.currently the forum acts as a gatekeeper to keep irrelevant issue noise from cluttering up our actual issue trackers.
Re: Inform user when 3rd party software installs plugin
As an aside, a number of boards have a "checkmark" button to mark what you think is a resolving answer. That is as close as "closing an issue" as you can get on the forum.
- Attachments
-
- Image1.gif (1.5 KiB) Viewed 1223 times
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
- RealityRipple
- Astronaut
- Posts: 659
- Joined: 2018-05-17, 02:34
- Location: Los Berros Canyon, California
- Contact:
Re: Inform user when 3rd party software installs plugin
This would be more in the purview of an extension. So I made one: https://realityripple.com/Software/Mozilla-Extensions/Unplug/.
- wannabegeek101
- Hobby Astronomer
- Posts: 22
- Joined: 2021-07-17, 06:29
Re: Inform user when 3rd party software installs plugin
I appreciate it, although I would appreciate if you gave me a reason to believe it's legit, since I'm not going to install random software from a website I don't recognise (RealityRipple). Currently both the github and gitlab links link to a 404 error page, and even if they did work, I don't know coding, so I wouldn't understand the code anyway (unless it's extremely simple). Nothing against you, and I appreciate you've taken the time to make this, but obviously I don't know who you are, so I don't want to install it without a reason to believe it's legit.RealityRipple wrote: ↑2021-07-19, 11:07This would be more in the purview of an extension. So I made one: https://realityripple.com/Software/Mozilla-Extensions/Unplug/.
Kind regards
-
- Moonbather
- Posts: 58
- Joined: 2016-03-21, 12:35
Re: Inform user when 3rd party software installs plugin
Astounding.wannabegeek101 wrote: ↑2021-07-19, 11:22I appreciate it, although I would appreciate if you gave me a reason to believe it's legit, since I'm not going to install random software from a website I don't recognise (RealityRipple). Currently both the github and gitlab links link to a 404 error page, and even if they did work, I don't know coding, so I wouldn't understand the code anyway (unless it's extremely simple). Nothing against you, and I appreciate you've taken the time to make this, but obviously I don't know who you are, so I don't want to install it without a reason to believe it's legit.
Kind regards
Do you believe people hang out on this forum with a specific intent to create malicious extensions so they could steal your invaluable data?
And now you want him to somehow persuade you that it's "legit?"
If you don't trust his extension, why would you trust his reply?
Hey, RealityRipple, I have several of your extensions, could you kindly let me know if you are stealing my data or doing something evil with my device?
Thank you.
Re: Inform user when 3rd party software installs plugin
Nice display of appreciation for someone going out of their way actually making an extension for you based on what you posted in this thread...wannabegeek101 wrote: ↑2021-07-19, 11:22although I would appreciate if you gave me a reason to believe it's legit
Keep it up, I'm sure you'll have plenty of people overly motivated to help you with anything in the future.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
- wannabegeek101
- Hobby Astronomer
- Posts: 22
- Joined: 2021-07-17, 06:29
Re: Inform user when 3rd party software installs plugin
I very much appreciate the extension, but I don't install software from unknown sources (for obvious reasons), so I was asking if there's a way for the creator to prove it's legit, so that their work doesn't go to waste.Moonchild wrote: ↑2021-07-19, 12:11Nice display of appreciation for someone going out of their way actually making an extension for you based on what you posted in this thread...wannabegeek101 wrote: ↑2021-07-19, 11:22although I would appreciate if you gave me a reason to believe it's legit
Keep it up, I'm sure you'll have plenty of people overly motivated to help you with anything in the future.
Re: Inform user when 3rd party software installs plugin
He links to the source code. you can inspect everything yourself.
https://github.com/RealityRipple/Unplug/
https://github.com/RealityRipple/Unplug/
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Inform user when 3rd party software installs plugin
RealityRipple despite the occasional arguments of scope is nevertheless an upstanding Extension Developer and largely dominates our selection of External listings. He also operates the mdn backup resource that preserves key info that is being purged from the internet by Mozilla.
He IS trustworthy but is also a free spirit who does their own thing and I have come to respect that over time. When he applies for an external listing, the add-on still goes through the same review process as any hosted one and there has yet to be any sort of issue that would put his status into question on that front. If there was you can be sure I would be on a crusade about it. Fuckin proof enough for you?
As others stated, he went to the trouble of creating something that never existed before just for you. Be greatful or be silent because you won't like the alternative consequences.
Is that understood?
He IS trustworthy but is also a free spirit who does their own thing and I have come to respect that over time. When he applies for an external listing, the add-on still goes through the same review process as any hosted one and there has yet to be any sort of issue that would put his status into question on that front. If there was you can be sure I would be on a crusade about it. Fuckin proof enough for you?
As others stated, he went to the trouble of creating something that never existed before just for you. Be greatful or be silent because you won't like the alternative consequences.
Is that understood?
- RealityRipple
- Astronaut
- Posts: 659
- Joined: 2018-05-17, 02:34
- Location: Los Berros Canyon, California
- Contact:
Re: Inform user when 3rd party software installs plugin
The only guarantees I can provide are the VirusTotal scan, the digital signature I use on every program I write to ensure they aren't modified after leaving my computer, the source code, and the thousands of users that have downloaded my other software and not sounded any alarm.
Just to double-check, did the 404 problem go away on both GH and GL?
Basically the entirety of the extension is a 150-line dialog script and a 50-line overlay script. And the dialog script is only long because it's building XUL elements by hand. Most of it is extremely readable, even by people who don't know javascript:
A loop to find new plugins that runs every ten seconds
A loop to display them if the count of new (unblocked) plugins is greater than zero
And a loop to change a true/false preference to "true" when a plugin has been shown in a dialog, so it doesn't prompt you again.
Most the fiddly bits are localization strings. The only preferences accessed are easily found - "plugin.prompt.X" for the mentioned true/false value and "plugin.state.x" to turn the plugin on or off based on the user's selection in the dialog.
Just to double-check, did the 404 problem go away on both GH and GL?
Basically the entirety of the extension is a 150-line dialog script and a 50-line overlay script. And the dialog script is only long because it's building XUL elements by hand. Most of it is extremely readable, even by people who don't know javascript:
A loop to find new plugins that runs every ten seconds
A loop to display them if the count of new (unblocked) plugins is greater than zero
And a loop to change a true/false preference to "true" when a plugin has been shown in a dialog, so it doesn't prompt you again.
Most the fiddly bits are localization strings. The only preferences accessed are easily found - "plugin.prompt.X" for the mentioned true/false value and "plugin.state.x" to turn the plugin on or off based on the user's selection in the dialog.