NPAPI-based features in LO

Michael Stahl mstahl at redhat.com
Thu Jun 5 03:57:04 PDT 2014


On 05/06/14 11:55, Caolán McNamara wrote:
> On Thu, 2014-06-05 at 09:29 +0200, Stephan Bergmann wrote:
>> What is our rough consensus on these features?
> 
> I wonders what happens under wayland with these NPAPI things and
> firefox ? Are they still going to work.

the NPAPI exposes an X Display connection... so if this is going to work
in Wayland then Mozilla needs to extend the NPAPI interface for it and:

for (1), browsers need to actually ship an NPAPI implementation with
Wayland support.

given postings such as this from a senior Mozilla developer maybe that
will not happen:
http://robert.ocallahan.org/2011/11/end-of-plugins.html

Chromium has already removed support for NPAPI:
http://blog.chromium.org/2013/09/saying-goodbye-to-our-old-friend-npapi.html


for (2) browser *plug-ins* (i.e. Flash, surely nobody embeds anything
other than that?) need to actually ship with Wayland support; iirc NPAPI
Flash on Linux is already currently not supported any more and you have
to use Google Chrome to get a (non-NPAPI based) Flash on Linux.
so even if (1) is solved, (2) is not going to happen.

ah this says NPAPI Flash on Linux is only getting security updates until
2017:
http://blogs.adobe.com/flashplayer/2012/02/adobe-and-google-partnering-for-flash-player-on-linux.html

> re, the features themselves I still see people using the LibreOffice
> plugin for Firefox, not no much the (rather odd) arbitrary mozilla
> plugins inside LibreOffice

regarding (1) the feature appears somewhat questionable to me from a
security point of view; since we don't automatically update LO
installations in the way that browser vendors do, so users are likely to
have an outdated LO exposed via the browser; do browsers nowadays
sand-box plug-ins appropriately?  can the LO plug-in even be sand-boxed?

at least nowadays the user actually has to click something before the
plug-in gets loaded:
https://blog.mozilla.org/security/2013/01/29/putting-users-in-control-of-plugins/

(fortunately (1) is not enabled by default by LO installation and
requires explicit user action to turn on)

regarding (2) the problem is that users could have created documents
that contain embedded plug-ins, and if the feature is removed then those
documents are effectively broken.




More information about the LibreOffice mailing list