Opened 6 years ago

Closed 6 years ago

#8312 closed defect (fixed)

Remove "This Plugin is Disabled" click-through

Reported by: proper Owned by: mikeperry
Priority: Very High Milestone:
Component: Firefox Patch Issues Version:
Severity: Keywords: MikePerry201303, tbb-usability, tbb-rebase-regression
Cc: proper Actual Points: 2
Parent ID: Points:
Reviewer: Sponsor:

Description

I try a newbie user perspective...

I just want to see that video. Let's go to that video site.
Ok. Hmm. I see...

"The plugin is disabled.*
Manage plugins..."

Click!
Flash... Enable...
Doesn't work. Let's try another page. It says...

"Click here to activate unknown plugin."

Click!

And boom. The user shoot it's own feet.

The option "Tor Button -> Preferences -> Security Settings -> Disable Browser Plugins (such as Flash)" is checked.

I think this is a regression. If that Tor Button setting is set, plugins shouldn't get activated, unless that option gets unchecked.

Version: Tor Browser Bundle (2.3.25-4)

Child Tickets

Change History (13)

comment:1 Changed 6 years ago by mikeperry

Component: TorBrowserButtonFirefox Patch Issues
Keywords: tbb-usability added
Summary: Tor Button does not disable FlashRemove "This Plugin is Disabled" click-through

Bleh. I think this will require a Firefox patch. I think the right answer is to simply remove this UI from Firefox. While I'm at that, I should see if I can make Youtube decide to try HTML5 directly (which it did for me after I clicked on that dialog and then didn't enable the plugin).

comment:2 in reply to:  1 Changed 6 years ago by proper

Replying to mikeperry:

I think the right answer is to simply remove this UI from Firefox.
Remove "This Plugin is Disabled" click-through

User's could still wonder why flash doesn't work. Google that up a bit. Then go to Tools -> Add-Ons -> activate Flash and shoot their own feet. I mean, for a Tor newbie it's non-obvious, that flash can leak IP.

I think the right answer is to block flash, if the option "Tor Button -> Preferences -> Security Settings -> Disable Browser Plugins (such as Flash)" is checked. When users remove that one, they at obviously know about the risk.

comment:3 Changed 6 years ago by mikeperry

Let's not muddle up this bug. I think it is critical to get rid of this horrid UI that also prevents HTML5 videos from working on YouTube. I think it is less-than-critical to make sure the user really knows what they're doing if they dig through the plugin permissions on their own without being sent there by some evil UI element. Let's discuss that in #8313.

comment:4 Changed 6 years ago by mikeperry

Keywords: tbb-rebase-regression added

comment:5 Changed 6 years ago by mikeperry

Ok, I pushed a patch to simply remove the "Click here to manage plugins" link + text.

Youtube apparently has JS to switch to HTML5 after a few seconds if the plugin doesn't load, so I was torn between removing the dialog entirely (which may have weird failure modes on non-Youtube) and the sub-par UX on YouTube with the box...

What do you think about that?

comment:6 Changed 6 years ago by mikeperry

Status: newneeds_review

comment:7 Changed 6 years ago by proper

What do you think about that?

I think I answered in #8313. Just tell me, in case I've overlooked a question which remains open here.

With #8313, this one becomes a duplicate? Wrong component, since you found a way to do it with Tor Button?

comment:8 Changed 6 years ago by mikeperry

This ticket is about the "This plugin is disabled" box, and what to do about it. Our choices here are "Remove the 'Click to manage plugins' link", or "Remove the barrier entirely".

#8313 is a separate, unrelated code change for Torbutton to display a popup whenever the user enables plugins.

comment:9 in reply to:  8 ; Changed 6 years ago by proper

Replying to mikeperry:

This ticket is about the "This plugin is disabled" box, and what to do about it.

#8313 is a separate, unrelated code change for Torbutton to display a popup whenever the user enables plugins.

Ok. Got it. Thanks. :)

Our choices here are "Remove the 'Click to manage plugins' link", or "Remove the barrier entirely".

"Manage plugins" in TBB case isn't so useful anyway. There is only 1 plugin.

What are the privacy/security/usability consequences of "Remove the barrier entirely"?

Let's suppose the user got on youtube.com and flash is still disabled by Tor Button (by default). What would happen once the user clicks on the first video?

  • case a: html5 / flash video
  • case b: flash-only video

comment:10 in reply to:  9 ; Changed 6 years ago by mikeperry

Replying to proper:

Replying to mikeperry:

Our choices here are "Remove the 'Click to manage plugins' link", or "Remove the barrier entirely".

What are the privacy/security/usability consequences of "Remove the barrier entirely"?

Let's suppose the user got on youtube.com and flash is still disabled by Tor Button (by default). What would happen once the user clicks on the first video?

I just tested this as a Firefox patch.

  • case a: html5 / flash video

The video displays as a black box while the youtube JS loads, probes for flash, detects it's missing, and then loads the HTML5 player, which NoScript then blocks. This can take several seconds.

  • case b: flash-only video

Youtube tells you that the video requires Adobe flash, and gives you a download link.

It's my opinion that this behavior is better overall. I also created #8386 to remove the NoScript HTML5 video barrier. I tested disabling the NoScript barrier, and I think it's a substantial enough improvement that we should just go ahead and remove it by default.

comment:11 in reply to:  10 ; Changed 6 years ago by proper

Replying to mikeperry:

Replying to proper:

Replying to mikeperry:

Our choices here are "Remove the 'Click to manage plugins' link", or "Remove the barrier entirely".

What are the privacy/security/usability consequences of "Remove the barrier entirely"?

Let's suppose the user got on youtube.com and flash is still disabled by Tor Button (by default). What would happen once the user clicks on the first video?

I just tested this as a Firefox patch.

  • case a: html5 / flash video

The video displays as a black box while the youtube JS loads, probes for flash, detects it's missing, and then loads the HTML5 player, which NoScript then blocks. This can take several seconds.

Sounds to be if and when #8386 gets implemented, the user experience will be equally good as with Mozilla Firefox? (Just that Tor is slow.) - If so, sounds good.

  • case b: flash-only video

Youtube tells you that the video requires Adobe flash, and gives you a download link.

Ok, better. The same happens with Firefox, if Flash is not installed.

Instead of the Flash download link, could you also make some more meaning full message? Such as...

"Adobe Flash content has been blocked, because Flash can harm your privacy and anonymity.

You could still enable it (Tools -> Add Ons -> Plugins -> Flash -> Enable.), which is recommend against.

The Tor Project is working on improving this.

In meanwhile you can try Flash alternatives to watch this video."

(The "Flash alternatives page" goes into various free flash download websites, flash video download helper and such things.)

Before they enable it, they again get to see a warning, which is good. (#8313)

It's my opinion that this behavior is better overall. I also created #8386 to remove the NoScript HTML5 video barrier. I tested disabling the NoScript barrier, and I think it's a substantial enough improvement that we should just go ahead and remove it by default.

Yes.

comment:12 in reply to:  11 Changed 6 years ago by mikeperry

Replying to proper:

Replying to mikeperry:

  • case b: flash-only video

Youtube tells you that the video requires Adobe flash, and gives you a download link.

Ok, better. The same happens with Firefox, if Flash is not installed.

Instead of the Flash download link, could you also make some more meaning full message? Such as...

"Adobe Flash content has been blocked, because Flash can harm your privacy and anonymity.

You could still enable it (Tools -> Add Ons -> Plugins -> Flash -> Enable.), which is recommend against.

Unfortunately there's no good way to do this that wouldn't get us back to the situation where the dual-mode flash+HTML5 videos wouldn't also display this dialog. I suppose could write a custom content rewriter or DOM manipulator tailored specifically for the YouTube JS, but that is likely to break early and often whenever YouTube changes scripts/behaviors.

comment:13 Changed 6 years ago by mikeperry

Actual Points: 2
Keywords: MikePerry201303 added
Resolution: fixed
Status: needs_reviewclosed

This patch is in TBB-2.3.25-5.

Note: See TracTickets for help on using tickets.