On Mon, Sep 23, 2013 at 1:46 PM, Benjamin Smedberg <benja...@smedbergs.us>wrote:
> The costs of Pepper are huge: it is not a well-specified API; we'd be > reverse-engineering large bits of chromium code in order to support it, and > it's clear that we want to focus effort on the web not Pepper. I asked some Chromium guys how much of the Pepper API the Flash Pepper plugin used. Their answer was literally "150%." They explained that Flash player users APIs that are not even in the Pepper "spec." > Given that Pepper presents little benefit to users, Pepper presents a huge benefit to users because it allows the browser to sandbox the plugin. Once we have a sandbox in Firefox, NPAPI plugins will be the security weak spot in Firefox. Granted, Flash has its own sandbox. However, I have very little confidence in Flash's sandbox given my understanding of how Adobe is (barely) maintaining Flash and given that we are the only major user of that version of Flash. > I don't think it makes any sense to focus on it relative to other things > such as graphics performance, web API improvements, and asm.js which can > serve the sam general niche as plugins, but will improve the open web at > the same time. > We need a story and a timeline for securing plugins. Click-to-play was a great start, but it is not enough. If our story for securing plugins is to drop support for them then we should develop the plan with a timeline for that. Cheers, Brian -- Mozilla Networking/Crypto/Security (Necko/NSS/PSM) _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
