Jared Wein [:jaws] (please needinfo? me) Reporter
	Description • 11 years ago

We currently only enable plugins when the top-level document has been trusted. This means that if a user "always allows" YouTube to play plugins, then embedded YouTube videos will not play until the embedding site gets the "always allow" permission.

We should change this to mean that we only check the source of the plugin to see if that source has the "always allowed" permission. This would mean that if a user chooses to "always allow" plugins on YouTube.com, then when a site like Reddit embeds a YouTube Flash video, the video plugin will be loaded without being blocked.

	Benjamin Smedberg
	Comment 1 • 11 years ago

Note: I think this really means "if the plugin is loaded from a subframe which has a per-site permission". Because youtube in particular the SWF URL is on a CDN (not youtube.com) and so checking the SWF URL isn't going to be useful in general. Most youtube embedding is iframe-type embedding nowadays anyway.

But note that this is not an especially urgent issue because it's unlikely to affect Java or minority plugins at all.

	Georg Fritzsche [:gfritzsche]
	Comment 2 • 11 years ago

With the redesign of bug 880735 et al we now test for the plugin permission via the top-document, making subframe plugins work fine when allowed for the site the user actually navigated to.