Should Flash plug-in be activated by default in new profile?
- Mo_D
- Posts: 774
- Joined: January 4th, 2006, 6:34 pm
Should Flash plug-in be activated by default in new profile?
I have the Flash plug-in installed in my main profile and set to “never activate”. If I create a new profile, Flash is automatically set to “always activate”. That seems counter-intuitive to Mozilla’s policy towards blocking Flash by default.
The other issue I noticed is that in my main profile, the Flash version is marked as outdated and vulnerable. In the new profile, there is no such indication, although it is the same version.
These two issues combined seem a little dangerous.
This may become irrelevant once Firefox goes click-to-play on Flash content, but for people running older versions, I thought it was worth mentioning.
The other issue I noticed is that in my main profile, the Flash version is marked as outdated and vulnerable. In the new profile, there is no such indication, although it is the same version.
These two issues combined seem a little dangerous.
This may become irrelevant once Firefox goes click-to-play on Flash content, but for people running older versions, I thought it was worth mentioning.
- Happy112
- Posts: 485
- Joined: April 15th, 2017, 10:25 am
- Location: Never-Never-Land
Re: Should Flash plug-in be activated by default in new prof
Hi Mo_D !
Complete stab in the dark, but could it be that your Flash is now up to date : Flash Player - latest version 25.0.0.148 and
Shockwave Flash - latest version 25.0.r0 ?
That would explain why it's no longer marked as outdated and vulnerable.
But again : complete stab in the dark .....
Complete stab in the dark, but could it be that your Flash is now up to date : Flash Player - latest version 25.0.0.148 and
Shockwave Flash - latest version 25.0.r0 ?
That would explain why it's no longer marked as outdated and vulnerable.
But again : complete stab in the dark .....
- Grumpus
- Posts: 13246
- Joined: October 19th, 2007, 4:23 am
- Location: ... Da' Swamp
Re: Should Flash plug-in be activated by default in new prof
From what I've read Flash is a default in the newer Windows versions (52 +) of Firefox with a number of other plugins disabled.
If you had VLC or Quicktime in the plugins list they would not show unless you had added the boolean item plugin.load_flash_only in about:config set to false.
If you had VLC or Quicktime in the plugins list they would not show unless you had added the boolean item plugin.load_flash_only in about:config set to false.
Doesn't matter what you say, it's wrong for a toaster to walk around the house and talk to you
- therube
- Posts: 21714
- Joined: March 10th, 2004, 9:59 pm
- Location: Maryland USA
Re: Should Flash plug-in be activated by default in new prof
A nice feature, IMO, would be to have available "global" Prefs, such that a new Profile follows such global Prefs rather then any other defaults.
In particular, pertaining to updating.
If you disable updates, then open a new Profile, by default, updates are enabled, & until such time as you manually disable updating in that new Profile, you are subject to have an update queue, such that when you return to your original Profile - with updates disabled, you will get updated nonetheless.
So a way to globally disable updates, or set Flash to disabled, would be nice.
about:plugins still show the path to the Flash plugin?
Make sure it is the expect file in the expected location.
Could be that when you installed the Flash update, that Flash was in use in the main browser, & until you restart the browser...
In particular, pertaining to updating.
If you disable updates, then open a new Profile, by default, updates are enabled, & until such time as you manually disable updating in that new Profile, you are subject to have an update queue, such that when you return to your original Profile - with updates disabled, you will get updated nonetheless.
So a way to globally disable updates, or set Flash to disabled, would be nice.
about:plugins still show the path to the Flash plugin?
Make sure it is the expect file in the expected location.
Could be that when you installed the Flash update, that Flash was in use in the main browser, & until you restart the browser...
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
- Happy112
- Posts: 485
- Joined: April 15th, 2017, 10:25 am
- Location: Never-Never-Land
Re: Should Flash plug-in be activated by default in new prof
Probably a redundant remark, but as of Firefox release version 52, support for ALL plugins was dropped, EXCEPT for Flash.
Personally, I think it's rather user-friendly having the choice to set Flash to either 'always activate' or 'never activate'.
Personally, I think it's rather user-friendly having the choice to set Flash to either 'always activate' or 'never activate'.
- Mo_D
- Posts: 774
- Joined: January 4th, 2006, 6:34 pm
Re: Should Flash plug-in be activated by default in new prof
I certainly understand your reasoning, but a new profile is used to diagnose issues and is expected to be in a particular default state. Having individual preferences available would throw a monkey wrench in to that diagnosis process.therube wrote:A nice feature, IMO, would be to have available "global" Prefs, such that a new Profile follows such global Prefs rather then any other defaults.
Yes, I found this out the hard way. No big deal for me, but it could be a big deal for some people. Again, it's not necessarily expected behavior. If you think it through, it makes sense, but the average user might not expect it.therube wrote:In particular, pertaining to updating.
If you disable updates, then open a new Profile, by default, updates are enabled, & until such time as you manually disable updating in that new Profile, you are subject to have an update queue, such that when you return to your original Profile - with updates disabled, you will get updated nonetheless.
Main profiletherube wrote:about:plugins still show the path to the Flash plugin?
Make sure it is the expect file in the expected location.
File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 25.0.0.127
State: Disabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 25.0 r0
New profile
File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 25.0.0.127
State: Enabled
Shockwave Flash 25.0 r0
Current Mac version available from Adobe.com: 25.0.0.163
Not sure what you mean by that. Maybe the info I copy/pasted above from about:plugins will answer your question.therube wrote:Could be that when you installed the Flash update, that Flash was in use in the main browser, & until you restart the browser...
-
- Posts: 1504
- Joined: October 1st, 2014, 3:25 pm
Re: Should Flash plug-in be activated by default in new prof
Sounds like your main profile has a recently updated blocklist, while the new profile doesn't (yet).
- Mo_D
- Posts: 774
- Joined: January 4th, 2006, 6:34 pm
Re: Should Flash plug-in be activated by default in new prof
I assume that update would run on launch, or 2nd launch, like software update? But it didn't. Or maybe only 24 hours later since the blocklists are updated daily?barbaz wrote:Sounds like your main profile has a recently updated blocklist, while the new profile doesn't (yet).
This new profile was created today, but I noticed the same thing on a new profile I created yesterday. I deleted yesterday's profile yesterday after I finished the test I was doing. I'll launch this new one tomorrow and see if it updates.
That's all somewhat academic. The vulnerability still remains. I imagine others like me rarely update Flash anymore since I rarely use it. Someone could launch a new profile with a very old version of Flash automatically activated.
- therube
- Posts: 21714
- Joined: March 10th, 2004, 9:59 pm
- Location: Maryland USA
Re: Should Flash plug-in be activated by default in new prof
Well there you are.127
You are out of date.
(I wouldn't know about Mac.)
Maybe the new Profile just hasn't gotten around to updating blocklist.xml.In the new profile, there is no such indication
Compare blocklist.xml between old & new.
(Or maybe just sear blocklist.xml for, 25.0.0.127 - it should be there.
Do this with FF closed, cause if you open it, it might update .)
Flash can't update if it is in use.Not sure what you mean by that.
So it will wait, could wait, until the next browser restart, & if you're the type that doesn't restart...
(At least it's like that in Windows. I wouldn't know about Mac.)
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
- Happy112
- Posts: 485
- Joined: April 15th, 2017, 10:25 am
- Location: Never-Never-Land
Re: Should Flash plug-in be activated by default in new prof
Well there you are.therube wrote:127
You are out of date.
Please, see my earlier post : the latest version of Flash Player is 25.0.0.148
- therube
- Posts: 21714
- Joined: March 10th, 2004, 9:59 pm
- Location: Maryland USA
Re: Should Flash plug-in be activated by default in new prof
Right.
But at the time, we didn't know what actual version Mo_D was running.
But at the time, we didn't know what actual version Mo_D was running.
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
- Mo_D
- Posts: 774
- Joined: January 4th, 2006, 6:34 pm
Re: Should Flash plug-in be activated by default in new prof
You guys are killing me. I have already posted the version of Flash I am running, and the most recent version available for Mac (which is the OS I am running). Get past that. We could be talking about any outdated plug-in.
There’s a reason I posted this in General instead of Support. I’m not looking for help, I’m pointing out a vulnerability made possible from creating a new profile.
In addition, I’m questioning whether Mozilla has this set up in the best (safest) possible way.
There’s a reason I posted this in General instead of Support. I’m not looking for help, I’m pointing out a vulnerability made possible from creating a new profile.
In addition, I’m questioning whether Mozilla has this set up in the best (safest) possible way.
- therube
- Posts: 21714
- Joined: March 10th, 2004, 9:59 pm
- Location: Maryland USA
Re: Should Flash plug-in be activated by default in new prof
If you consider Flash dangerous, then no.
Anyhow, did you check your blocklist.xml?
Anyhow, did you check your blocklist.xml?
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
- Happy112
- Posts: 485
- Joined: April 15th, 2017, 10:25 am
- Location: Never-Never-Land
Re: Should Flash plug-in be activated by default in new prof
You're right. Sorry. Speaking for myself : I'll stay off your back.Mo_D wrote:You guys are killing me. I have already posted the version of Flash I am running, and the most recent version available for Mac (which is the OS I am running). Get past that. We could be talking about any outdated plug-in.
And thank you for that !!!There’s a reason I posted this in General instead of Support. I’m not looking for help, I’m pointing out a vulnerability made possible from creating a new profile.
Would you consider posting this here :In addition, I’m questioning whether Mozilla has this set up in the best (safest) possible way.
https://qsurvey.mozilla.com/s3/FirefoxInput/
- Mo_D
- Posts: 774
- Joined: January 4th, 2006, 6:34 pm
Re: Should Flash plug-in be activated by default in new prof
I did not. I forgot to do that before I deleted the profile. What I did do was open the profile this morning to see if Flash was marked as outdated, and it still was not. Then I visited mozilla.org and support.mozilla.org to see if that would trigger a blocklist update. It did not. Then I visited youtube and played a video. In the past, when I still used Flash regularly, this would normally trigger a notification that an update was available. But this did not trigger a blocklist update either. Finally, I visited adobe.com and played a video there. After visiting adobe, then the plug-in was marked as outdated, which I assume means the blocklist would have been updated if I had checked it.therube wrote: Anyhow, did you check your blocklist.xml?
So the blocklist process is still a bit of a mystery to me. I know it's updated once daily, and is supposed to be updated at startup. Beyond that, I dunno. Whatever the process, it seems too slow to save you in the scenario I'm describing. It seems to me that a fresh blocklist should be fetched on launch of a new profile. Even copying the existing blocklist seems like it would be preferable. If I’m correctly parsing what is happening, a blocklist is not downloaded until it is triggered by a script from adobe.com, or a certain amount of time (24 hours?) has passed.
This is from my current profile: blocklist lastupdate="1483471392954" What the heck is that? How many seconds ago? Out of curiosity, I just created another new profile and it has the same exact number. And the Flash plugin is still not shown as outdated. Searching for “25.0.0.” within the blocklist turns up no results. There are multiple items that appear to relate to Flash, so I can’t tell which is the right one.
I don’t need to know how all this works, but I am a little curious now. I’m sure there’s documentation somewhere…