User.js: disable Flash and Java

What's so important about matching PK?

• default state for new plugins (1801) = disabled state (on first discovery)
• windows only: plugin.scan.plid.all-false
• if they have a plugin = click to play and 0 minutes long allowance (thats a per domain time I think)

I don't mind making flash active because it doesn't impact me at all. I'm thinking more of end users. If they want flash they already have limitations - although TBH, of the three bullet points above, the first discovery is probably past and doesn't change anything (this was for back in the day when any tom dick and harry could create plugins), and secondly they may not be a windows users - so yeah, I don't mind flipping it.

As you know I did a comparison. The java one stuck out (same reasons, we already put roadblocks in place, and we trimmed it up). What plugins are allowed now - I thought we were down to just Flash (but not on 64bit). Yes, I know we have stinky old 9-releases of ESR52 to put up with - but isn't java unavailable in FF - or have I gotten confused with something else?

from the user.js 1805

Used to detect RealPlayer, Java, Antivirus etc, but since FF52 only covers Flash

Does that mean the plid pref only detects/stops flash being loaded, but you can still add java and AV etc

Ahh... : https://support.mozilla.org/en-US/questions/1176670

Beginning in Firefox 52+, NPAPI plugins like Silverlight, Java, Adobe Acrobat will no longer work but if you still require other plugins, you can download the ESR version of Firefox which will continue supporting NPAPI plugins until late 2018.

So for 1.9 releases we'll add java and then remove it once ESR52 is finally EOL?

So what about silverlight and other NPAPI on ESR?

With no disrespect to PK...
But I love ghacks and you all because of mindset is similar to mine. Be and stay yourself, please.
:heart:

/* 1803: disable Flash, Java and other NPAPI plugins (Add-ons>Plugins)
...

^^ add something about NPAPI plugins stopped in FF52+ stable and will end with ESR52.x
^^ add something about plugin.state in about:config - because there's more than those two, eg "plugin.state.silverlight" exists, and what about all those pesky AV plugins (do they still do those or just intercept https traffic like a MitM)? Although the Add-ons>Plugins is much the same as about:config I assume, IDK, haven't had anything in there for years)

So IDK, not against changing stuff to help all the people hanging out on ESR

how about this

/* 1803: disable Flash, Java and other NPAPI plugins (Add-ons>Plugins)
 * 0=deactivated, 1=ask, 2=enabled
 * ESR52.x is the last branch to *fully* support NPAPI, FF52+ stable branch only supports Flash
 * [NOTE] You can still over-ride individual sites e.g. youtube via site permissions
 * [1] https://www.ghacks.net/2013/07/09/how-to-make-sure-that-a-firefox-plugin-never-activates-again/ ***/
user_pref("plugin.state.flash", 0);
user_pref("plugin.state.java", 0); // check plugin.state* for other NPAPIs
user_pref("plugin.state.silverlight", 0);

"plugin.state.silverlight" exists

does it? It's not in my ESR and nothing on DXR either. There's only .java and .flash left from what I can tell

it gets created if you have the plugin - or at least it did, search google for "plugin.state.silverlight" with quotes.

You make some good points and thanks for the quoted link explaining the NPAPI in ESR thingy.
If ESR still supports a number of plugins maybe it's best to wait with changing this just yet, IDK.
I mainly wanted to add the java pref because I saw that it'll get removed in FF62 and that way we'll have a record of it (in 9999). Also makes it easier when comparing our user.js with PK's or other user.js'.

https://support.mozilla.org/en-US/questions/1023380 (2014 old but shows how it works)

plugin.state.adobepdfviewernpapi: 2
plugin.state.default browser: 2
plugin.state.flip4mac wmv plugin: 2
plugin.state.google earth web plug-in: 0
plugin.state.googletalkbrowserplugin: 0
plugin.state.iphotophotocast: 0
plugin.state.java: 2
plugin.state.mathematica: 2
plugin.state.npgtpo3dautoplugin: 0
plugin.state.o1dbrowserplugin: 0
plugin.state.quicktime plugin: 2
plugin.state.realplayer plugin: 2
plugin.state.silverlight: 0

quicktime would be another fairly common one. I didn't mean we need to list em all, hence the comment after the java pref line. We can drop the silverlight line if you want - just want users to KNOW there could be more and that the two we list are not all of them

But for sure, the java is good because its well spread, and I agree making them active is good, because not everything is click to play either (I think) - eg flash can be used for font FP without clicking anything, and non window users have no real fallback if its on their machine

Actually, if we drop the silverlight line, then when the java line gets moved the relevant "other* napi comment with it also moves and nothing is left except the relevant flash. So I'll commit that and close, If you're unhappy, reopen :)

nit 1: I don't like the title in your draft because the 2 listed prefs don't disable "other NPAPI plugins". maybe just 1803: disable plugins (Add-ons>Plugins)

We can drop the silverlight line if you want

:+1:

// check plugin.state* for other NPAPIs

nit 2: I'd prefer to have this in the header instead of behind the pref

ESR52.x is the last branch to fully support NPAPI, FF52+ stable branch only supports Flash

this is great :+1: :+1:

/* 1803: disable NPAPI plugins (Add-ons>Plugins)
 * 0=deactivated, 1=ask, 2=enabled
 * ESR52.x is the last branch to *fully* support NPAPI, FF52+ stable only supports Flash
 * [NOTE] You can still over-ride individual sites e.g. youtube via site permissions
 * [1] https://www.ghacks.net/2013/07/09/how-to-make-sure-that-a-firefox-plugin-never-activates-again/ ***/
user_pref("plugin.state.flash", 0);
user_pref("plugin.state.java", 0); // check plugin.state* for other NPAPIs

Just change the title to NPAPI. When the java line moves to deprecated then there's nothing else to do. PS, I dropped the word "branch" for FF52+ since FF60+ branch also supports NPAPI

or if you really want, we could move the // check plugin.state* for other NPAPIs to a line in the description. I just don't think it's worth it when it becomes deprecated in 10 weeks or so

Just change the title to NPAPI.

yeah that's better

When the java line moves to deprecated then there's nothing else to do.

at that point we can change the title to "disable Flash plugin" and remove the line(s) about ESR.

or if you really want, we could move the // check plugin.state* for other NPAPIs to a line in the description. I just don't think it's worth it when it becomes deprecated in 10 weeks or so

but that line is not directly related to other NPAPI plugins because they are already no longer supported in stable. How about this?

/* 1803: disable NPAPI plugins (Add-ons>Plugins)
 * 0=deactivated, 1=ask, 2=enabled
 * ESR52.x is the last branch to *fully* support NPAPI, FF52+ stable only supports Flash
 * [NOTE] ESR52 users should check plugin.state* for other installed NPAPI plugins.
 * [NOTE] You can still over-ride individual sites e.g. youtube via site permissions
 * [1] https://www.ghacks.net/2013/07/09/how-to-make-sure-that-a-firefox-plugin-never-activates-again/ ***/
user_pref("plugin.state.flash", 0);
user_pref("plugin.state.java", 0);

When the java line becomes deprecated, we can do whatever we like - I wouldn't remove any lines, its just that some would move to section 9999