Per our Flash (plugin) deprecation roadmap, we'll disable Flash by default in Nightly 69 and let that roll out.

In Firefox 69, we will remove Firefox's:

• "Always Activate" Flash option in about:addons
  • If Flash's click-to-activate setting was previously "Always Activate" or "Ask to Activate", it should now be "Ask to Activate".
  • If Flash's click-to-activate setting was previously "Never Activate", it should still be "Never Activate". However, if this is difficult to implement, we can reset everyone's Flash click-to-activate setting to "Ask to Activate".
• "Remember this decision" from the Flash click-to-activate door hanger. We want prompt users every time a site wants to activate Flash in each browser session.
  • But we want Firefox 69+ to remember sites that the user had checked "Remember this decision" in earlier Firefox versions. (Firefox only remembers the door hanger decision for 90 days, so these remembered site permissions will all phase out over 90 days.)

Priority P1 and 69=affected because we plan to fix this bug in Firefox 69.

Somehow I volunteered to do this, so taking...

Is there a broader plan for what we want here? Some questions that spring to mind (which perhaps are answered in such a doc somewhere):

0. I'm assuming we want to actually make this completely impossible, not just remove the UI and keep support for the internal "always run this plugin" state?
1. do we need a pref to turn off this restriction if we uncover too many issues?
2. we still have a flash_only pref that allows other plugins to be used - in this bug, do we just want to remove support for "always run" for all plugins?
3. can we remove support for the flash_only pref except when running automated tests (to reduce the testing/complexity matrix), or is that not possible at the moment?
4. do existing users get this change applied, and/or do we need to notify them in any way beyond relnotes?

(In reply to :Gijs (he/him) from comment #4)

Is there a broader plan for what we want here? Some questions that spring to mind (which perhaps are answered in such a doc somewhere):

No, but I'll create a doc that consolidates all these answers:

https://docs.google.com/document/d/1U5uHskPkJIUkASwLI6uVdFl2s0MM6dfPzCAoT0Bftms/edit

0. I'm assuming we want to actually make this completely impossible, not just remove the UI and keep support for the internal "always run this plugin" state?

Good question! I hadn't thought of that.

We had planned to just remove the UI to prevent setting new always-allow site permissions and then let users' existing always-allow site permissions quietly expire after 90 days. But we should probably remove Gecko's always-run Flash code (somewhere in dom/plugins/base) now so Firefox Nightly users can actually experience the always-ask Flash UX now. If there are Flash issues, we want to find them during Nightly testing, not 90 days from now. :) We'll also need to remove any Flash code in the Site Permissions UI.

However, we do not want to remove always-run support for the dummy NPAPI test plugin (used for our automated NPAPI tests), Widevine, or OpenH264! Widevine and OpenH264 are GMPs (Gecko Media Plugins), not NPAPI plugins, so they might use a different code path. Just something to watch for.

1. do we need a pref to turn off this restriction if we uncover too many issues?

I don't think we need a pref. Chrome has shipped a similar always-ask UX since September 2018, so there should not be any Flash sites that cause problems in Firefox but not Chrome:

https://sites.google.com/a/chromium.org/dev/flash-roadmap#TOC-Non-Persisted-HTML5-by-Default-Target:-Chrome-69---September-2018-

2. we still have a flash_only pref that allows other plugins to be used - in this bug, do we just want to remove support for "always run" for all plugins?
3. can we remove support for the flash_only pref except when running automated tests (to reduce the testing/complexity matrix), or is that not possible at the moment?

Flash and the dummy NPAPI test plugin are the only NPAPI plugins we support. Widevine and OpenH264 are also "plugins" but we do not want to remove their always-allow support.

The flash_only pref should only be used for our automated NPAPI tests, so we can disable or remove the pref in non-test code paths, as long as disabling it doesn't affect Widevine or OpenH264.

4. do existing users get this change applied, and/or do we need to notify them in any way beyond relnotes?

All users should get this change. We don't need to notify users.

I've tried to summarize in the following doc my current understanding of what we would like do. Feel free to add comments or questions.

https://docs.google.com/document/d/1U5uHskPkJIUkASwLI6uVdFl2s0MM6dfPzCAoT0Bftms/edit

Johann, can you help me understand how this code:

https://searchfox.org/mozilla-central/rev/153172de0c5bfca31ef861bd8fc0995f44cada6a/browser/modules/SitePermissions.jsm#940-943

fits into the permissions page in the page info dialog, and whether I need to change something there? It looks to me like right now, allowing flash without ticking the 'remember' checkbox shows up as "allow", and this permission is simply gone (because it's a per-session permission) after a restart -- but some other permissions in the page info dialog have an "allow for session" option; does something need to change as part of this bug or not (or only to make it slightly more correct, but kind of orthogonal to this bug) ?

(TL;DR for this bug: we want to remove the ability to permanently/persistently allow flash to play, including all the UI to that effect.)

Yeah, so, the plugin permissions in the doorhanger are set here: https://searchfox.org/mozilla-central/rev/153172de0c5bfca31ef861bd8fc0995f44cada6a/browser/base/content/browser-plugins.js#143

What that code does is if you simply click "allow" it will set a session scoped permission to allow Flash.

This works independently of SitePermissions.jsm, but after the permission is updated the SitePermissions stuff is needed to display the correct permission state in the identity popup and page info.

As you noted, PageInfo lists all states for each permission as they are specified in SitePermissions.jsm. Then it tries to select one of them and that part is a little wrong for at least plugins. We fetch state and scope here, but then continue to only consider state when selecting an item. So we select "Allow" when there really should be an "Allow for Session" item.

but some other permissions in the page info dialog have an "allow for session" option

Only cookies has that and it's an entirely independent permission state, not denoted by its permission scope. It's very confusing.

(TL;DR for this bug: we want to remove the ability to permanently/persistently allow flash to play, including all the UI to that effect.)

Then I would suggest just dropping that option from the doorhanger (see link above) and renaming "Allow" into "Allow for session" for plugins in Page Info (the identity popup should already correctly display "Temporarily Allowed").

Do you want to keep supporting previous permanent ALLOW entries for plugin permissions in the permission manager? Then we might need a bit of hackery to have Allow as an unselectable? option there, too.

I hope that helps!

Depends on D34212

Depends on D34213

Depends on D34214

Depends on D34215

Depends on D34216

Depends on D34217

Green try for all but the topmost (permission popup / page info code removal) cset:

https://treeherder.mozilla.org/#/jobs?repo=try&revision=24a53529f6e5c4c87d76d96111127fea6379c56d

Try including that last cset shows xpcshell error which is fixed in the next update to that cset:

https://treeherder.mozilla.org/#/jobs?repo=try&revision=e52231ef1615872c8b6a01d3576295a0b06c1254

Release Note Request (optional, but appreciated)
[Why is this notable]: flash can't be set to always activate anymore
[Affects Firefox for Android]: I don't think so, but there's also no fennec 69 so kind of moot
[Suggested wording]:
[Links (documentation, blog post, etc)]:

[Affects Firefox for Android]: I don't think so, but there's also no fennec 69 so kind of moot

That's correct. We dropped Android support for Flash a couple years ago (2017 bug 1381916).

[Suggested wording]:

Always ask for user permission before activating Flash on a website.

[Links (documentation, blog post, etc)]:

Mozilla's Plugin Roadmap:
https://developer.mozilla.org/en-US/docs/Plugins/Roadmap

Backed out for mochitest failures e.g. test_bug1165981.html

Push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=testfailed%2Cbusted%2Cexception&revision=b7340dfe4325f8beb09a1a4cbfeae383f69d14bf&selectedJob=251468474

Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=251468474&repo=autoland&lineNumber=3249

Backout: https://hg.mozilla.org/integration/autoland/rev/28c26b4a8e989d134458a65c746d361adfefed03

It turns out that (a) we have mochitest-plain plugin tests, and (b) they rely on setting plugin.enabledState to 'enabled', from the content process, to enable plugins. Which broke because for click-to-play flash, it's no longer possible to do that. What they should be doing is giving themselves permission, but that's easier said than done...

https://treeherder.mozilla.org/#/jobs?repo=try&revision=0894d3275aeb85e877c82ae2006695d99fd9db6c

https://hg.mozilla.org/mozilla-central/rev/38fc0d299eb0
https://hg.mozilla.org/mozilla-central/rev/96fe8a446f82
https://hg.mozilla.org/mozilla-central/rev/6fc16812b039
https://hg.mozilla.org/mozilla-central/rev/60f078cb766e
https://hg.mozilla.org/mozilla-central/rev/d09f4e29a628
https://hg.mozilla.org/mozilla-central/rev/fce03ecd272a
https://hg.mozilla.org/mozilla-central/rev/7a3feaf795b3

Posted site compatibility note: https://www.fxsitecompat.dev/en-CA/docs/2019/flash-player-can-no-longer-always-be-activated/

Added to the Fx69 Beta release notes.

(In reply to Kohei Yoshino [:kohei] (Bugzilla UX) (FxSiteCompat) from comment #25)

Posted site compatibility note: https://www.fxsitecompat.dev/en-CA/docs/2019/flash-player-can-no-longer-always-be-activated/

The page has the options reversed. It says, Firefox 69 has removed the “Always Activate” option from the page notification dialog and the “Remember this decision” option from the Add-on Manager.
Actually, the “Always Activate” option was removed from the Add-ons Manager and the “Remember this decision” option
was removed from the page notification dialog (described in comment 1 as the click-to-activate door hanger).