Who is/are the point of contact(s) for this review? Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.): Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description: Does this request block another bug? If so, please indicate the bug number This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review? Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.) Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users? Are there any portions of the project that interact with 3rd party services? Will your application/service collect user data? If so, please describe If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size): Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite.

Repeating an earlier comment I was told to bring up in sec-review: At present, the permission is just "plug-ins enabled" as opposed to "plug-in Foo enabled". I think plug-ins should be enabled on a per plug-in type basis. It's relatively rare for a site to use multiple different plug-ins, so the case where a user wants to enable e.g. both Flash and Java for a site should be rare. However, if a site has managed to bait me into enabling Flash for the site in order to watch a video, I don't want Java-based exploit kits that someone has dropped on the site to activate, too.

(In reply to Henri Sivonen (:hsivonen) from comment #1) > I think plug-ins should be enabled on a per plug-in type basis. Indeed - we have bug 746374 for this.

assigning to :jaws as he is current owner of blocked bug

:jaws - We need more info to triage and assign this bug

(In reply to Curtis Koenig [:curtisk] from comment #0) > Who is/are the point of contact(s) for this review? Myself and David Keeler > Please provide a short description of the feature / application (e.g. > problem solved, use cases, etc.): The feature, when enabled, blocks the loading of plugins until the user has chosen to activate the plugins on the page. > Please provide links to additional information (e.g. feature page, wiki) if > available and not yet included in feature description: https://wiki.mozilla.org/Opt-in_activation_of_plugins_%28click_to_play_plugins%29 > Does this request block another bug? If so, please indicate the bug number > This review will be scheduled amongst other requested reviews. What is the > urgency or needed completion date of this review? This feature is needed for our new plugin softblocking mechanism. > Please answer the following few questions: (Note: If you are asked to > describe anything, 1-2 sentences shall suffice.) > Does this feature or code change affect Firefox, Thunderbird or any product > or service the Mozilla ships to end users? Firefox > Are there any portions of the project that interact with 3rd party services? Not directly, but the plugin softblocking code will interact with our blocklist API. > Will your application/service collect user data? If so, please describe If users want to "Always activate" plugins for a site, then their preference will be remembered locally. This uses our standard permissions storage system, that is used for geolocation and cookie permissions.

I will get this scheduled as soon as possible

Risk/Priority Ranking Exercise https://wiki.mozilla.org/Security/RiskRatings Priority: 3 (P3) - Overall Mozilla Quarterly Goal Operational: 0 - N/A User: 5 - Blocker Privacy: 0 - N/A Engineering: 3 - Major Reputational: 5 - Blocker Priority Score: 52

:jaws - can you take a look at the sec-review calendar and let me know a date/time that works for you? https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html This should be pretty straight forward and we just need to get it on the schedule.

Friday, October 19th at 10:00 AM works good for me.