Pale Moon forum

RealityRipple wrote: ↑

2021-07-19, 17:16

A loop to find new plugins that runs every ten seconds

AFAIK the scan for system plugins only happens at startup. So a scan every 10 seconds seems a bit extreme. Even if it was the case that system plugins magically appear loaded up during a session.. How often is this gonna happen really.. Five or Ten minutes seems more reasonable.

Also, you might consider using the doorhanger or spawning an infobar instead of a specific window upon detection.. Both those notification facilities can allow you to have a button to open the full window anyway. Something other than an unpredictable popup model window.

OR you could do it the way the Add-ons Manager does it for unexpected add-ons materializing in various locations and use in-content foreach.. Replicating or even abusing the existing page.

I tested installing Java in a VM while making this extension - the plugin installation happened live, while the browser was running. Otherwise, yeah, I would have kept it at startup only.

And yeah, I do want to go with a better, more passive notification option in the future. But I wanted to make sure the core functionality is clean and... well, functional, before adding other elements and features. So.. planned for v1.1.

Ah ok.. I kinda don't like that behavior. I have this thing against autoloading especially plugins.. Maybe something to pref around. I know back in the day a restart was required but okay.. I just couldn't remember. So maybe there is an observer that fires when new plugins are picked up.

Otherwise, I totally understand the foundational work concept. I use it my self.

The notification bar is way too tab-specific and leads to multiple possible wonky behaviors. I'll see about making a mockup similar to the "new extension from an unknown source" page instead.

Edit: Version 1.1 is released. New plugins will open a tab extremely similar to about:newaddon rather than a dialog window. Note that this version does not show a warning if an addon is "unsafe" at present, though it does hide the "Always" radio option. I'll probably include it again in v1.2 or some other point along the line.

New Tobin Paradigm wrote: ↑

2021-07-19, 15:54

RealityRipple despite the occasional arguments of scope is nevertheless an upstanding Extension Developer and largely dominates our selection of External listings. He also operates the mdn backup resource that preserves key info that is being purged from the internet by Mozilla.

He IS trustworthy but is also a free spirit who does their own thing and I have come to respect that over time. When he applies for an external listing, the add-on still goes through the same review process as any hosted one and there has yet to be any sort of issue that would put his status into question on that front. If there was you can be sure I would be on a crusade about it.

Okay, that's proof enough, thank you for the extension, RealityRipple, I will be installing it now

RealityRipple wrote: ↑

2021-07-19, 17:16

Just to double-check, did the 404 problem go away on both GH and GL?

yes, but the dialog script you linked to still gives a 404 error

RealityRipple wrote: ↑

2021-07-19, 19:49

Version 1.1 is released. New plugins will open a tab extremely similar to about:newaddon rather than a dialog window. Note that this version does not show a warning if an addon is "unsafe" at present, though it does hide the "Always" radio option. I'll probably include it again in v1.2 or some other point along the line.

Will the plugin auto-update to version 1.2? Also, if it ignores "unsafe" addons, doesn't that defeat the purpose? Or are "unsafe" addons disabled by default?
EDIT: Apologies, I misread that, I thought you were saying that it doesn't warn you that the plug-in got installed if it's an "unsafe" plug-in

Kind regards

The dialog page (popup.js) was removed in v1.1, replaced with newplugin.js, which is a browser page rather than a dialog.

I'm in the process of testing the addition of the same text you'd see in the Add-ons Manager for a "warned-about" plugin, placed below the "Install plugin only from authors whom you trust." message. It should be up in a half hour or less. Now available! And yes, all my extensions update through my website automatically using HTTPS, including providing a change log to the "View Recent Updates" section of the Add-ons Manager.

For the record, plugins are only actually loaded when content requests them - and they are unloaded again after a specific delay to free up resources. That has a number of advantages, not in the least saving resources and being able to have dynamic security of them.
Their enumeration, however, is done by watching a few locations for changes (including the registry) so it is a live update and regular checking would be required (unless you can do it through an observer, since that will just fire when something changes - probably the best way here, avoiding timer-based checks that can interfere by introducing jank in the browser operation)

I didn't see any existing observer-like things in nsIPluginHost, but I'd love to use one if possible - would I have to make my own duplicate filesystem/registry watcher? If so, got a handy file and line number I can refer to?

Adding code to fire an observer off when the plugins are refreshed should be trivial to add. I'll create an issue and maybe even see if I can copypasta the cpp from elsewhere or get Athenian200 to do it. One bit is that it would be fired regardless so you will have to still handle changes in the extension code to detect between new, changed, and removed plugins.

Either way, should be in the next release.

That'd be fantastic

I'll try to append it to the UDN docs page for whichever interface it gets attached to (guessing nsIPluginHost?) when it's been added, with a note on the PM version number that adds support.

Welp, guess I don't need to do shit, awesome!

http://xref.palemoon.org/moonchild-central/source/platform/dom/plugins/base/nsPluginHost.cpp#2303

You will still likely want to check on startup and also watch the various preferences like the global npapi disabled pref.

I THOUGHT I saw it but it isn't in the reload plugins function but that one.

I think the behavior as follows should be: Your in-content page should not be one page per but a single page with a list but in the same style and just show on startup. However, in-session changes should show a door hanger that indicates plugins have changed with an ok button and a review button.

Interesting. "plugins-list-updated" didn't show up anywhere in the docs. Time to do some rewriting.

What's the global npapi disabled pref named? I knew you could disable scanning, but not plugins in general. Nvm. plugin.disable is what you mean, yeah?


Edit: tried using this event, it doesn't really trigger in a timely fashion, unless I call reloadPlugins on a timer, which essentially changes nothing. It looks like it only happens when something calls the reloadPlugins function (disabling mPluginsLoaded), like viewing the list of plugins or opening a page that uses plugins (or maybe accesses the list of plugins from navigator, not sure).

New Tobin Paradigm wrote: ↑

2021-07-19, 15:54

When he applies for an external listing, the add-on still goes through the same review process as any hosted one

Just wondering, what is the review process for addons and extensions hosted on addons.palemoon.org? (I'm not asking about RealityRipple's addons)

It is manually inspected by the Add-ons Team and also tested. This includes many things like if it is a fork verifing it is on the level re: intellectual property.. Checking to see if it does what it claims to do and looking for bullshit.

If you have a specific question regarding the review process then I can get more detailed but suffice it to say there are many tangible and even intangible aspects to be considered in approving something.

New Tobin Paradigm wrote: ↑

2021-08-02, 09:02

It is manually inspected

Meaning the source code is manually inspected? Are the updates inspected?
Also, has malware/spyware ever managed to get onto the addons store?

wannabegeek101 wrote: ↑

2021-08-02, 09:42

Meaning the source code is manually inspected?

Yes. You know, by people.

wannabegeek101 wrote: ↑

2021-08-02, 09:42

Are the updates inspected?

Generally, yes - at least spot checks.

wannabegeek101 wrote: ↑

2021-08-02, 09:42

Also, has malware/spyware ever managed to get onto the addons store?

What "store" are you talking about? I see no store. You can't buy anything.
I'm not aware of any malware/spyware having been published on our add-ons site and if it has been, it would have been very short-lived.

Things have changed though since the year started. The extensions are checked more closely. There is now an activity log in place that records entries for major actions.

In the past beyond a cursory check we trusted that extension developers acted in good faith until proven otherwise but that has been shifting. You can largely thank JustOff for the increased scrutiny and basic logging of main actions performed and the audit of riiis for more strict checking of intellectual property.

We also used to have a user level (Level 2 - Advanced) for trusted long standing and prolific developers to be able to have their new submitions active and unlisted until review with the option of having unlisted add-ons in general. We no longer allow that. This level also used to allow submition with add-on id to contain blacklisted elements.

In the future even updates will have to be approved not just submitions. Right now they are monitored by use of the log and of course user scrutiny. Since this thread started some serious thought has also been given to the external listings we have had from the beginning. A final decision on that will be coming on that in the near future.

In addition, there is a good chance that the blocklist will be managed either directly or exported with the Add-ons Site Software as well. However, human control and judgement will always be key to the process as we will not spend time creating piss poor and ineffective automated junk that doesn't work leading to a throw your hands up and free-for-all except for a handful of top favorites situation AMO has ended up with.

As that happens we will be looking to add a few more people to the Add-ons Team so that the work does not become overwheming to Ryan and FranklinDM.

As for malware.. We have never had TRUE malware get through the review process. The closest to skate those lines was JustOff's original "migration-off-the-service" solution. Though not tangibly malware technologically how it did it was very malware like and abused the automatic updates service to push it and did its thing without regard to user consent or even knowledge and "cleaned up" after its self after it did it. This was morally out of line and he eventually acceded to demands to do it properly.

The only other user to be banned forever was srazzano who was a respected Firefox extension developer who was also respected by us until he started pushing out broken versions of his extensions that busted the main window and refused to fix the issues. He was banned for this after being asked and refused then became unresponsive. Sometime later he bandodged and tried to re-submit the same broken extensions and thus he remains the first person to be not only banned but the only person hardcoded in the software directly as banned forever.

JustOff also was hardcoded into the software to foster his migration off the service but it was more a case of special handling of his extensions not his user account. However, that logic was removed later along with his extensions from our datastore.

In the end this is really off-topic to this thread as this thread is about npapi plugins. Also, keep in mind that since you have pressed for specifics on our internal practices and polices you best not crash up against them because you now have even less excuse than others. I hope that is well understood.