PluginUpdating: Difference between revisions

 
(18 intermediate revisions by 3 users not shown)
Line 3: Line 3:


= Proposal =
= Proposal =
Add scripts on common landing pages to check for vulnerable plug-ins and assist the user in updating them.
Create a service anybody can use on any site to increase plugin awareness for their users.
 
== Components ==
== Components ==
* Script and alert on landing pages
Tracker bug: {{bug|465898}}
* Page that checks all the common plug-ins and assists in the update
 
* Create database to store plugin information {{bug|465888}}
* Plugins service to serve plugin metadata via XML or JSON {{bug|465891}}
* Create javascript library for embedding {{bug|465891}}
 
mozilla.com areas of influence:
* Firstrun page
* What's new page
* Upyourplug page


= Landing pages =
= Landing pages =
Line 16: Line 25:
'''Message:''' ''We detected that some of your media plug-ins are vulnerable, click here for more info.''
'''Message:''' ''We detected that some of your media plug-ins are vulnerable, click here for more info.''


This is non-evasive, as we do not want to have the user have trouble getting started with Firefox.
This is non-invasive, as we do not want to have the user have trouble getting started with Firefox.


This will lead the user to the [[#UpYourPlug page|plug-in check page]].
This will lead the user to the [[#UpYourPlug page|plug-in check page]].


'''comment''' [morgamic] -- please eliminate the "click here".  A "more info" that is a hyperlink should be sufficient.  "click here" is bad wording for a hyperlink because it's non-descriptive.
'''comment''' [morgamic] -- please eliminate the "click here".  A "more info" that is a hyperlink should be sufficient.  "click here" is bad wording for a hyperlink because it's non-descriptive.  When I was messing with it, "Update your plug-ins." seemed even better -- but just pick something besides "click here".  :)
 
'''comment''' [[User:Clouserw|clouserw]] -- "vulnerable" is a pretty strong word.  Are we actually detecting that they are using versions that are vulnerable, or just that they are using outdated versions?
 
'''comment ''' [[User:Polvi|polvi]] -- The goal is to detect vulnerable plug-ins, not outdated ones (although, they often go hand in hand). Regarding "click here", I agree, but we are trying to structure the language such that it avoids demanding something of the user.


== Updated ==
== Updated ==
Line 47: Line 60:


== Implementation ==
== Implementation ==
Some of the plug-ins, such as Flash, provide an API for checking for security updates. Therefore, the check could easily be implemented in the language of the plug-in if it provides such API. Otherwise, it will need to be done in JavaScript.
The actual checks need to be implemented in javascript. The following use cases should be handled accordingly:
 
* '''Plugin installed and up to date''': An green "OK" box displayed linked to vendor
* '''Plugin installed and out of date''': A red "need update" box displayed linked to vendor
* '''Plugin not installed''': A gray "not installed" box displayed.


Some pseudo code:
=== Java on the Mac ===
if plug-in flash is installed
Since only the java embedding plugin gives version information to javascript, we cannot check for this case without a java applet. In this case, display a gray "check with vendor" box that links to Sun's java plugin page.
  display flash based flash security update check
if plug-in java is installed
  run javascript based java security update check
...


Or..
=== Non-Firefox Browsers ===


Pure javascript implementation, seemingly ready to roll, [https://bugzilla.mozilla.org/attachment.cgi?id=215422 here].
If a non Firefox browser hits this page, we need to display a notice with the rest of the copy on the page: "This page is only supported when using Firefox". Then all the checks should be a gray "check with vendor" box that link accordingly.


== Determining the latest secure version ==
== Determining the latest secure version ==
Line 79: Line 92:
# Launch page and add detection to first run page - August 31th
# Launch page and add detection to first run page - August 31th
# Add detection to updated page - September 7th
# Add detection to updated page - September 7th
= QA Matrix =
All platforms for Firefox  < 2.0.0.7
{| class="fullwidth-table"
! Flash version
! Quicktime
! Java
!
! firstrun notice
! Flash
! Quicktime
! Java
|-
| >= 9.0r47 (win,mac)
| >= 7.2.0
| >= 1.5.0_07
|
| no
| green
| green
| green
|-
| >= 9.0r48 (lin)
| >= 7.2.0
| >= 1.5.0_07
|
| no
| green
| green
| green
|-
| < 9.0r47 (win,mac)
| >= 7.2.0
| >= 1.5.0_07
|
| yes
| red
| green
| green
|-
| < 9.0r48 (lin)
| >= 7.2.0
| >= 1.5.0_07
|
| yes
| red
| green
| green
|-
| >= 9.0r47
| < 7.2.0
| < 1.5.0_07 (all)
|
| yes
| green
| red
| green
|-
| >= 9.0r47
| >= 7.2.0
| < 1.5.0_07 (all)
|
| yes
| green
| green
| red
|}


= References =
= References =
Line 86: Line 166:
* [http://www.adobe.com/shockwave/welcome/ Adobe's flash checker]
* [http://www.adobe.com/shockwave/welcome/ Adobe's flash checker]
* [https://bugzilla.mozilla.org/show_bug.cgi?id=391433 scripting work bug]
* [https://bugzilla.mozilla.org/show_bug.cgi?id=391433 scripting work bug]
= Postmortem =
* be more specific about <strike>copy</strike> wording and mock-up layout
* note when the alerts should display
* s/sans/without/
* think of edge cases ahead of time if possible
* talk about projects like this at start of quarters to get a better response
3,035

edits