Closed Bug 810984 Opened 12 years ago Closed 12 years ago

Please update Flash & Java CTP block for Firefox 17 release

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: lsblakk, Assigned: jorgev)

References

Details

(Whiteboard: [plugin]) 

+++ This bug was initially created as a clone of Bug #803152 +++

Our collective decision on bug 800018 was to remove CTP blocklisting of Flash for the 17 release.

Here is the excerpt that matters for this bug:

* We will not CTP block *any* Flash versions in the FF17 timeframe. We will, however, CTP block:
** Java Plugin 6 updates 33 through 36 (click-to-play), Linux
** Java Plugin 6 updates 36 and lower (click-to-play), Mac OS X
** Java Plugin 6 updates 33 through 36 (click-to-play), Windows
** Adobe Reader 10.0 to 10.1.3
** Adobe Reader 9.5.1 and lower
** Silverlight 5.0 to 5.1.10410.0
** Silverlight 4.1.10328.0 and lower
I updated the staged Flash CTP blocks so they only apply to 18.0 and above.

QA, please verify.
Keywords: qawanted
(In reply to Jorge Villalobos [:jorgev] from comment #1)
> I updated the staged Flash CTP blocks so they only apply to 18.0 and above.
> 
> QA, please verify.

Not OK.
Flash is NOT blocked on FF 17.
Flash is NOT blocked on FF 18.
Flash is blocked on FF 19.
Ah, silly me. I set the minVersion to 18.0, but it should have been 18.0a1.

Good catch, thanks, it's fixed now.
Verified okay:
 * Flash is not blocked in Firefox 17b5
 * Flash is CTP blocked in Firefox 18.0a2 2012-11-13
 * Flash is CTP blocked in Firefox 19.0a1 2012-11-13
Keywords: qawanted
Due to some unforeseen changes to my travel arrangements, I'm not sure I'll be available to make these changes closer to Friday, so I decided to play it safe and make them earlier.

I've pushed all changes to the Flash CTP blocks to prod now.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Verified okay:
 * Flash is not blocked in Firefox 17b6
 * Flash is CTP blocked in Firefox 18.0a2 2012-11-14
 * Flash is CTP blocked in Firefox 19.0a1 2012-11-14
https://addons.mozilla.org/firefox/blocked/ still indicates Firefox 17 instead of Firefox 18 so it's not fully fixed.
(In reply to Scoobidiver from comment #7)
> https://addons.mozilla.org/firefox/blocked/ still indicates Firefox 17
> instead of Firefox 18 so it's not fully fixed.

Comment #6 indicates that the blocklist is fully fixed, what you point out is that a website change going along with it (but it's a separate item of work) hasn't been done. Thanks for bringing this up, but website correctness is surely less critical than the blocklist doing what it should do. :)
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #8)
> website correctness is surely less critical than the blocklist doing what it 
> should do. :)
I agree and I haven't reopened it but usually there's only one bug for creating/updating the blocklist and updating the website. See bug 803152 for instance.
It can't be marked as verified because of that.
One other issue would be that the blocklist works fine only on new profiles.
This means that:
1. Start FF 17 with a new profile -> Flash not blocked
2. Start FF 18 with the same profile -> Flash not blocked
And vice-versa:
1. Start FF 18 with a new profile -> Flash blocked
2. Start FF 17 with the same profile -> Flash blocked
Even after forcing an update ping?
This is what I was worried about, but thought we had verification around... so the two cases that need testing:

* A FF16.0.2 user who received the previous blocklist should never see Flash CTP blocklisted when they upgrade to FF17.0
* A FF17.0 user who has Java/Reader/Silverlight blocked, with that blocklist subsequently pulled, should no longer have that plugin blocked
Keywords: qawanted
(In reply to David Keeler from comment #11)
> Even after forcing an update ping?

Just checking the upgrade paths it seems Paul is correct...

1. Install Firefox 16.0.2 and start with a new profile
2. Install Flash 11.2.202.233
3. Ping the blocklist
> p178 added to blocklist.xml, youtube.com shows Flash content
4. Quit Firefox
5. Install Firefox 17b6 and start with the same profile
> p178 still in blocklist.xml, youtube.com shows Flash content
6. Ping the blocklist
> p178 removed from blocklist.xml, youtube.com shows Flash content
7. Quit Firefox
8. Install Firefox 18.0a2 and start with the same profile
> p178 in blocklist.xml
> Flash content is NOT blocked
9. Ping the blocklist and restart Firefox
> Flash content is still not blocked
10. Start Aurora with a new profile
> Flash content blocked
(In reply to Alex Keybl [:akeybl] from comment #12)
> FF16.0.2 user who received the previous blocklist should never see Flash
> CTP blocklisted when they upgrade to FF17.0

Steps 1-6 in comment 13 would seem to indicate this is the case.

> FF17.0 user who has Java/Reader/Silverlight blocked, with that blocklist
> subsequently pulled, should no longer have that plugin blocked

I can't think of a good way to test this without staging a block for a currently not blocked plugin, testing that it's blocked, pulling the staged block, then testing that it's not blocked.
Let me know if this sounds right:

1. I enabled click-to-play in Fx17b5 through the config preferences.
2. I manually updated the blocklist.xml file to include the latest Silverlight in the range of blocked versions.
3. I restarted Firefox and went to a site that used Silverlight, http://bubblemark.com/silverlight2.html. I got an area that informs me the plugin is vulnerable and should be updated and/or click here to activate the plugin.
4. I used Timer Fire (add-on) to trigger a blocklist update, which overwrote my edits.
5. I reloaded the page and now I get a simple "click here to activate plugin."

This sounds like the behavior desired and described in comment #12.
(In reply to juan becerra [:juanb] from comment #15)
> Let me know if this sounds right:
> 
> 1. I enabled click-to-play in Fx17b5 through the config preferences.

plugins.click_to_play should be false when testing this. Setting it to true makes every plugin click-to-play all of the time.

> 4. I used Timer Fire (add-on) to trigger a blocklist update, which overwrote
> my edits.

You can also evaluate Components.classes["@mozilla.org/extensions/blocklist;1"].getService(Components.interfaces.nsITimerCallback).notify(null); in the error console.
(In reply to David Keeler from comment #16)

When plugins.click_to_play is false I can play Silverlight content without any blocklist message. About:addons does say there's an important update for my Silverlight version. Updating the blocklist makes that notification in about:addons go away. I didn't fiddle with the severity, which may trigger some CTP UI we might be expecting.
Ok - I've got a handle on the problem. Basically, if nsBlocklistService doesn't see when a plugin goes from not blocked to blocked or the reverse, it won't set (or unset) the plugin flag that nsObjectLoadingContent uses to decide when something should be click-to-play. (In particular, if firefox is updated, a new plugin block may suddenly apply, but nsBlocklistService would never see this transition.) Luckily, I've already been working on bug 811375 that will fix this. I'll need to write a non-idl-changing version to uplift, but I can take care of that tomorrow morning.
Depends on: 811375
(In reply to Alex Keybl [:akeybl] from comment #12)
> This is what I was worried about, but thought we had verification around...
> so the two cases that need testing:
> 
> * A FF16.0.2 user who received the previous blocklist should never see Flash
> CTP blocklisted when they upgrade to FF17.0
> * A FF17.0 user who has Java/Reader/Silverlight blocked, with that blocklist
> subsequently pulled, should no longer have that plugin blocked

I've tested these two scenarios, and they work for me.
The steps I took:
1. Open FF16.0.2
2. Ping the blocklist against a version that includes the old blocks
3. (plugins not blocked - they don't apply to 16)
4. Update the blocklist, ping again (plugins still not blocked)
5. Upgrade to FF17.0
6. Plugins not blocked

1. Open FF17.0
2. Ping the old blocklist
3. (plugins blocked)
4. Update the blocklist, ping again
5. Plugins not blocked
Thanks Juan and David for helping out.

David, is there any further action needed from QA before you fix bug 811375? If so, Paul from Softvision can handle any overnight testing. I can take over in the morning.
QA Contact: anthony.s.hughes → paul.silaghi
I think we're all good here and don't need further QA action. Thanks all for jumping on this!
tracking-firefox17: + → ---
Okay, thanks Alex. Marking this verified and removing qawanted.

Should we track bug 811375 for Firefox 17?
Status: RESOLVED → VERIFIED
Keywords: qawanted
And should we track updating the in-tree blocklist to pick this up before the go-to-build?
(In reply to David Keeler from comment #19)
> (In reply to Alex Keybl [:akeybl] from comment #12)
> > This is what I was worried about, but thought we had verification around...
> > so the two cases that need testing:
> > 
> > * A FF16.0.2 user who received the previous blocklist should never see Flash
> > CTP blocklisted when they upgrade to FF17.0
> > * A FF17.0 user who has Java/Reader/Silverlight blocked, with that blocklist
> > subsequently pulled, should no longer have that plugin blocked
> 
> I've tested these two scenarios, and they work for me.
> The steps I took:
> 1. Open FF16.0.2
> 2. Ping the blocklist against a version that includes the old blocks
> 3. (plugins not blocked - they don't apply to 16)
> 4. Update the blocklist, ping again (plugins still not blocked)
> 5. Upgrade to FF17.0
> 6. Plugins not blocked
> 
> 1. Open FF17.0
> 2. Ping the old blocklist
> 3. (plugins blocked)
> 4. Update the blocklist, ping again
> 5. Plugins not blocked

What about FF 17 -> FF 18 ?
I'm still seeing comment 10, comment 13 issues.
Only Flash is updated. Java blocks through CTP are still in Firefox 17.
Summary: Please update CTP block for Firefox 17 release → Please update Flash CTP block for Firefox 17 release
Depends on: 812445
(In reply to Phil Ringnalda (:philor) from comment #23)
> And should we track updating the in-tree blocklist to pick this up before
> the go-to-build?

RelEng is kicking this off on the m-r and m-e17 repos in preparation for our go-to-build.
(In reply to Paul Silaghi [QA] from comment #24)
> What about FF 17 -> FF 18 ?
> I'm still seeing comment 10, comment 13 issues.

There's definitely a bug involved with switching channels, but users won't hit it just by upgrading from 16 to 17. Luckily, if they do hit it (by e.g. trying out nightly or something), it's easy to fix: delete pluginreg.dat.
So, we're good for now, but I'll see if I can get some movement on bug 811375 to fix this.
While double verifying this, I noticed that https://addons.mozilla.org/en-US/firefox/blocked/ shows Java Plugin 7 appears to remain blocked. If that's the case, can we please pull that block back before Tuesday's release? We'd like to push out CTP for the latest Java versions along with Flash in the future.
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
Summary: Please update Flash CTP block for Firefox 17 release → Please update Flash & Java CTP block for Firefox 17 release
Please hold on pulling back 7u7, while we discuss leaving it up. 7u8's CTP block can still be pulled back to being blocked on FF18 and up.
I didn't pull back *any* of the Java blocks, because I thought this was only about Flash. Please let me know which blocks need to be modified.
(In reply to Jorge Villalobos [:jorgev] from comment #30)
> I didn't pull back *any* of the Java blocks, because I thought this was only
> about Flash. Please let me know which blocks need to be modified.

The landscape here has changed due to bug 812927 (see email). I'll file a followup bug as soon as things become clearer. Looks like we may end up puling all version-specific CTP blocks back for FF17 launch (or at the very least Java).
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
Resolution: --- → FIXED
Summary: Please update Flash & Java CTP block for Firefox 17 release → Please update Flash CTP block for Firefox 17 release
The Java CTP block has also been postponed to 18.0a1.
Summary: Please update Flash CTP block for Firefox 17 release → Please update Flash & Java CTP block for Firefox 17 release
https://bugzilla.mozilla.org/show_bug.cgi?id=812936#c0
<<The intent of bug 810984 was to ensure that *no* versions of Flash were going to be CTP blocked.>>
(In reply to Scoobidiver from comment #32)
> The Java CTP block has also been postponed to 18.0a1.

That's not clear yet, we might still activate it while 17 is on release, we just pulled it back to 18 while we push 17 out and will re-evaluate when we see how 17 performs on release on other accounts.
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.